How to whitelist Headers?

I’m attempting to use custom headers to implement an SSO solution. From the connections doc:

httpHeadersObject
When the connection came in over an HTTP transport (such as with Meteor’s default SockJS implementation), this field contains whitelisted HTTP headers.

Where / how do I whitelist a header? There doesn’t seem to be a complete list (my custom headers are missing along with a few others).