We are hosting a Google App Engine with a Python Flask project to run our platform. This is secured using IAP, so employees register their work e-mail as a Google account and are appointed the IAP Secured Web App user role to access our platform.
Within the project, once a user is allowed access by being added to the IAP, we differentiate users based on the provided documentation on JWT tokens.
However we also have automated tasks running within the developed platform. To differentiate between a user accessing a route and a cron job acccessing a route we make use of the X-Appengine-Cron header, per the documentation on validating cron requests.
It has now come to our attention that this header is spoofable. E.g. a malicious user (that is part of the IAP) is able to pass the X-Appengine-Cron header (we also tested the X-Forwarded-For and X-Appengine-Queuename headers) and that value will be used. It is not sanitized as is suggested by the documentation of the App Engine.
Although this is not a serious concern considering this is all only possible when part of the IAP (this is not something we hand out lightly), I am wondering if part of our implementation is incorrect or why the documentation suggests something other than what we are seeing.