I see three possible ways that might be used to ensure a web agent is never bypassed; thus, ensure a user cannot spoof headers at an app server.
I'm looking for wisdom/experience on each of these -- or possibly other methods I've not thought of.
1) IP Restriction
Pro: Simple to configure on IIS, etc.
Cons: Can break production applications when new web servers/app servers are introduced. Also, some apps like JBoss want to restrict app access always -- but allow direct access for admins.
2) Client Certs
3) OFC -- encrypt responses consumed by applications
Pros: Get around hassles with IP Restriction and cert management. Unless a "hacker" knew the strong session key, there's no way to spoof headers/cookies.
Cons: Custom code? But our thinking is we could easily abstract this for our developers since CA provides most of what is needed.