Auth Proxy - Security

I am trying to implement Grafana Auth Proxy as documented at

Based on how it works, it seems X-WEBAUTH-USER is set in plain text. So any one who can spoof it, can get logged in.

Grafana does have a IP Whitelist, BUT I dont think its practice to maintain IP Addresses of Docker Containers (Django and Grafana are running in separate docker containers).

Questions :

  1. Is there a better implementation to achieve some thing more secured?
  2. Can whitelist have a easier value?