only validate headers that aren't "spoofable", which will be somewhat implementation dependent.

Zotlabs/Web/HTTPSig.php

@@ -26,6 +26,7 @@ class HTTPSig {
 
 		$body      = $data;
 		$headers   = null;
+		$spoofable = false;
 
 		$result = [
 			'signer'         => '',
@@ -80,6 +81,9 @@ class HTTPSig {
 			if(array_key_exists($h,$headers)) {
 				$signed_data .= $h . ': ' . $headers[$h] . "\n";
 			}
+			if(strpos($h,'.')) {
+				$spoofable = true;
+			}
 		}
 		$signed_data = rtrim($signed_data,"\n");
 
@@ -101,6 +105,7 @@ class HTTPSig {
 		if($x === false)
 			return $result;
 
+		if(! $spoofable)
 			$result['header_valid'] = true;
 
 		if(in_array('digest',$signed_headers)) {