looks like a bug to me if it works in one section but not the other.
Yes I raised a BMC support case, and they mentioned OOB it's not possible , and some investigation in progress.. But really header is something the most important , since that's the only place in which authentication information is stored, and we don't want it's to be plainly available.
The "saving grace" here is that unless someone can "access" the configuration in the Module (so, permissions into AO to see the "insecure" value), then the system "should mask" the value in the log files e.g. Grid/Process log.
This feature of masking the passwords in the logging was introduced some versions ago - so I would check that although the value is plain text in the Module Configuration, then this is is actually "masked (usually "***" or similar) in the Process/Grid log.
This may meet the requirement if InfoSec is involved as you can limit the access to the configuration in AO, yet not expose the value in the generated log files.
Something to look at.
We have had the same issue & were directed to submit an enhancement request: Allow Password Masking via BAO REST Adapter
If you're facing the same problem, please "up-vote" this, and hopefully we'll see an enhancement to the REST adapter functionality in a future release : )
This will require enhancement to adapter and related content.