DRAFT: fix: Secure x-forwarded-* headers from untrusted proxies

[richard-salac]

Description

Enable forwarding of X-Forwarded... headers from trusted proxies only, mitigates CVE-2025-41235. The pattern to identify trusted proxies can be set via apiml.security.forwardHeader.trustedProxies property. If the request is signed by the Zowe certificate, it is trusted even of the property is not set.

If the headers are received from an untrusted source, they are removed from the request and apiml creates new ones.

cherry-pick from v2: #4148

Linked to # (issue)
Part of the # (epic)

Type of change

Please delete options that are not relevant.

• fix: Bug fix (non-breaking change which fixes an issue)
• feat: New feature (non-breaking change which adds functionality)
• docs: Change in a documentation
• refactor: Refactor the code
• chore: Chore, repository cleanup, updates the dependencies.
• BREAKING CHANGE or !: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the style guidelines of this project
• PR title conforms to commit message guideline ## Commit Message Structure Guideline
• I have commented my code, particularly in hard-to-understand areas. In JS I did provide JSDoc
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• The java tests in the area I was working on leverage @nested annotations
• Any dependent changes have been merged and published in downstream modules

For more details about how should the code look like read the Contributing guideline