I'm curious about what makes it a bad idea. What is the difference between sending it as a header compared to sending it as form data? If someone has access to headers, they probably also have access to the body.