The question was about securing HTTP access by checking traffic coming from a webapp. The X-Appengine-Inbound-Appid header only applies to requests from apps running *inside* the app engine environment calling other apps in the same environment.
I was hoping to use the header too, but it can't be used for anything related to a web or mobile client calling your API.
If anyone knows a nice solution to this I'd love to hear about it.
So far the only solution I know is to send credentials in the Authenticate header and verify them, but this would create a lot of overhead for a simple REST api. I need to verify users agains a Firebase instance. Is there a way to issue a JWT token or something on Firebase login?
Cheers,
Thijs