Prevent error headers from being modified. Closes hapijs#3378

Author: hueniverse

lib/transmit.js

@@ -110,11 +110,11 @@ internals.marshal = function (request, next) {
 
 internals.fail = function (request, boom, callback) {
 
-    const error = Hoek.clone(boom.output);
+    const error = boom.output;
     const response = new Response(error.payload, request);
     response._error = boom;
     response.code(error.statusCode);
-    response.headers = error.headers;
+    response.headers = Hoek.clone(error.headers);           // Prevent source from being modified
     request.response = response;                            // Not using request._setResponse() to avoid double log
 
     internals.marshal(request, (err) => {