Does the Error 400 Missing Required Header response apply only to the headers described in the CDS HTTP Headers section? If the missing header is not required by Consumer Data Standards (CDS), but instead by the upstream normative FAPI and OIDC standards, should the error response instead follow those standards?
If the missing header is required by the CDS, then the Data Holder (DH) should respond with the missing header they were expecting, as described in the CDS Error Codes section. For example, if the "x-v" header is missing or the "Content-Type" or "x-fapi-interaction-id" are missing when they are required.
The DH is likely to respond in line with the normative spec if the Authorization header is missing. Depending on their architecture they may respond with the CDS error but it is not expected.
If the error is handled up their application stack at their WAF or API Gateway, CDS response customisation may not be possible.