HTTP – What Belongs in a Request Header vs the Request Body?

If you don't really care about security you may consider trimming the fields with Javascript when the form submit button is clicked (event *onsubmit" to implement). Now, this is of course easily bypassable since it's client server code.

Otherwise, for a server-side solution, all your solutions work. I'm not sure about the module but I think it will perform this trimming for all applications on the server, right? So you may consider that factor if your application is not the only one deployed.

Finally, but you may have considered that already, you can properly do the trimming using HTTP request listeners.

In J2EE (or whatever it is called now), it would consist in implementing your own ServletRequestListener and requestInitialized method. The advantage here is that you can package this listener in a simple JAR and add it (and its configuration in web.xml) only for the applications that require that.

In .NET, it would consist in overriding the Application_BeginRequest method in Global.asax.cs. So it would work only for the application you wrote the code for.

I would use a standardized body and not use the header. For example, every body can be JSON and include an ID field. As long as it's standardized across your platform it's guaranteed to work.

I would not use a custom header because of the risk of it getting stripped. I would not use a standard header because I don't know of one that fits perfectly (e.g. the ETag you mention is used to determine file changes and caching keys.)