Unprotect rule does not delete headers
Found by Quentin Garnier.
When we unprotect a zone, or a complete vhost, we can access it sithout authentication, but if we own a SSO sessions, the headers are sent, and they should not: an unprotected zone can be an unsafe zone.
Seems linked to ##236 (closed)