Normal ol' SSL alone, without mutual auth, isn't sufficient since that's simply covering the transport layer encryption. Anyone could still inject a header and the application would simply take it and go about its business....The SSL in that situation would only ensure the traffic was encrypted between the client and server but does nothing to authenticate the client request itself to ensure it should even accept it.
Miguel mentioned mutual cert auth, which would work. Another could be IPSec with cert/kerberos auth (not shared secret!!!) for integrity and block all direct access; if it's Windows servers, setting up IPSec is easy peasy...Linux is doable too.
Or Web Agent on the downstream app server to sanitize headers, but that kind of defeats purpose of SPS right ?
For some of my proxy setups, I've just used IPSec between the systems. Any request coming into the application server would be rejected as the only trusted systems would be the proxy systems over an IPSec tunnel. There's some overhead with that but for the most part not bad; and with automatic cert renewals it is fairly hands off in terms of operations once it is setup.