A significant increase in header sizes can be an indicator of malicious activity. Headers are usually static, and even where they contain dynamic content such as authentication tokens, those items are usually of a fixed size. Fluctuating header sizes indicate the presence of additional data which shouldn't be there.
An attacker may try to compromise a service via Host Header Injection, which add to the header length. Other attacks may try to modify authentication tokens in the header by adding new privileges or scopes, these modifications change the length of the authentication token. On compromised systems attackes may want to exfiltrate data in encoded chunks in response headers to avoid detection.
