The headers are seen by the monster-in-the-middle CDN.

It's obfuscation at best. I'm not sure the encrypted traffic will look particularly php-ish for example. Compressed formats might look vaguely passable.

I can't see any stenography code or libraries in the repo.

> I don’t get why headers and requests need to be spoofed if all traffic is over https?

Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message.

> I don’t get why headers and requests need to be spoofed if all traffic is over https?

https://en.wikipedia.org/wiki/Deep_packet_inspection

Because SNI. Also, State (sponsored) Actors are certificate authorities. HTTPS is the biggest scam in internet history. https://en.wikipedia.org/wiki/Server_Name_Indication