Currently, we have path normalization on the HTTP LB and header normalization on other settings of the origin pools (default or proper case). We should allow customers the flexibility to disable request header normalization as a whole, within the settings drop down menu (on origin pool config).

Having configuration options is always preferable rather than making the developers rework the application to adopt the security product.