Cloud Scheduler with App Engine HTTP endpoint should set X-Appengine-Cron header

[Matt Byrne]

When you create crons via cron.yaml it sets X-Appengine-Cron header that no other callers can set and thus our endpoints can verify the caller. This is also recommended here: https://cloud.google.com/appengine/docs/flexible/nodejs/scheduling-jobs-with-cron-yaml#validating_cron_requests

When you create a job via Cloud Scheduler UI, or via Terraform and specify the Target Type to App Engine HTTP then this job no longer sets that header. It does set x-cloudscheduler to be true but Google does not prevent any other caller from setting that header, thus it cannot be trusted. None of the other http headers can be used to trust the source.

The only delicate and not recommended way I can think of is to use 'x-appengine-user-ip': '0.1.0.2' since in the same link above it is documented that crons come from this address. Of course this can change so we don't want to do this.

Will stick to cron.yaml for now, but seems like a missing feature.