> I don’t get why headers and requests need to be spoofed if all traffic is over https?
Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message.
it can still be an https message, who cares what the path, query string, or headers look like? that is all encrypted
it can still be an https message, who cares what the path, query string, or headers look like? that is all encrypted