code review suggestions

specification/trace/semantic_conventions/http.md

@@ -94,7 +94,11 @@ It is recommended to also use the general [network attributes][], especially `ne
 | `http.request.header.<key>` | string[] | HTTP request headers, `<key>` being the HTTP Header name (case preserving), the value being the header values. [1] [2] | `http.request.header.Content-Type=["application/json"]`; `http.request.header.X-Forwarded-for=["1.2.3.4", "1.2.3.5"]` | No |
 | `http.response.header.<key>` | string[] | HTTP response headers, `<key>` being the HTTP Header name (case preserving), the value being the header values. [1] [2] | `http.response.header.Content-Type=["application/json"]`; `http.response.header.My-custom-header=["abc", "def"]` | No |
 
-**[1]:** Certain headers MAY be sanitized or omitted to avoid leaking sensitive information.
+**[1]:** Instrumentations SHOULD require an explicit configuration of which headers are to be captured (e.g. an allowlist).
+Including all request/response headers can be a security risk - explicit configuration helps avoid leaking sensitive information.
+
+Some HTTP headers - `Host` and `User-Agent` - are already captured in the `http.host` and `http.user_agent` attributes.
+These headers SHOULD NOT be captured as a part of this convention.
 
 **[2]:** The attribute value MAY contain separate header value as separate items, or concatenated header values as one item, depending on the way the HTTP library provides access to headers.