why is emitting headers the default? That's a security hole

[pszabop]

skipHeaders defaults to false.

This means the entire world is getting these headers, which exposes internal implementation details and is thus a security flaw:

X-RateLimit-Limit: 20
X-RateLimit-Remaining: 19
X-RateLimit-Reset: 1510250052
X-Request-Id: da62f2a0-c576-11e7-b7fc-89bce46f8f85

Please consider changing the default in the next major release.

See this article about unnecessary exposure of implementation details.