User input comes in many different forms, and sometimes your app will believe whatever your users tell it... especially if it's in a header! 😈
(AKA that time I tried to fix a vulnerable configuration and missed the obvious flaw...)
[$] https://securinglaravel.com/in-depth-stealing-password-tokens/