The headers should be set in the server that has the /validate endpoint so we can get the correct client IP.