What do they suggest for the secure way to validate the header line?
Let’s say it is Hash: SHA1 and then a million nbsp and then a newline

Is the header line now considered invalid because of arbitrary character limit?
Is it invalid because the maximum length of a known hash function is (insert figure here)?
Should the million nbsp be a part of the text being signed?