In our environment we allow users to authenticate via HTTP Header Variable Authentication and we fetch the value from SSL_CLIENT_S_DN_CN to get their username. This value is populated by the Oracle Application Server after the user selects his client certificate. I was just wondering how secure is this method? Can a user potentially spoof the header variable SSL_CLIENT_S_DN_CN? How can I protect against spoofing?