Insert Client Certificate In Serverside HTTP Headers
Published Mar 18, 2015
Version 1.0Was this article helpful?
If you are worried about possible tampering, 'replace' is only marginally better than 'insert'.
'replace' only replaces the last occurence of the header. So if an attacker adds their forged header twice, you end up with pretty much the same situation.
To be absolutely safe, you can do a 'remove' first (which removes all occurences of the header) and then 'insert'.