Looking at the source and searching for this header, I see it is set in ProxyUtil and middleware.
If my understanding is correct, the information flow goes:
Browser → make SQL → send to DataProxy (running on server) → middleware (header added) → my REST API (checks header) → JSON returned …
Since grafana-server adds the header, it can’t be injected from the browser, and can be relied on.
Can anyone confirm / deny?