100% agree with Michael's comments about signed headers. When dealing with
credentials, a lot of people distrust proxies and testing them - so on top
of removing all headers, anything added will be signed (or the aggregate
signed) with a low-cost method, which can easily be tested.
On
You don’t need a signed header. You just need to make sure your proxy is configured to remove that header from an incoming request and only put validated data into it before sending it to your app. This is standard for other headers set by your proxy as well. Definitely never trust a header
I do a lot of work with SSL Certs. If you are using publicly trusted
client certificates (i.e. LetsEncrypt, Digisign, etc), then you basically
just need to do what Michael suggested - ensure your gateway or server
populates the headers or environment variables with the information for the