Description
Currently even if security is enabled, you can use the web UI tracing/rpcz/etc to see current RPC traffic, including tokens returned from ConnectToMaster RPCs, etc. We need to enable redaction for the stringified PBs in the traces, and probably offer the ability to disable web UI pages entirely.