Tighten input validation for requests initiated by the backend

[pbochynski]

Description

Add validation for the following cases:

• The path currently only needs to start with some specific words. Apart from that it is arbitrary. This could be tightened to only support words / characters that are actually used by the Kubernetes API. For example we can supply two double percent encoded dots:

  /api/%252e%252e/some_other_path

• The request method currently can be TRACE (which is not used at all by the Kubernetes API) and OPTIONS and HEAD (which is only used when the path contains proxy)
• The request can currently contain additional entries for e.g. the forwarded and x-forwarded-for header. These are then merged into the outgoing request and could obfuscate the true origin of the request

Expected result Malicious request should be rejected with 400 response code

[mrCherry97]

Something is not working, and currently, validation is too strict. The backend is throwing 400 all the time.