We want to enforce that cookies don't belong in APIs.
To do this, we'll prevent mounted APIs from sending cookies, and we'll fail to pass through any cookies that are sent.
This is done when:
- Configure the API gateway routes to strip outgoing Set-Cookie headers
- Configure the API gateway routes to strip incoming Cookie headers