According to the STET specification, all TPP requests must be signed. You must therefore enforce the HTTP request signature verification.
To disable HTTP request signature verification (e.g. for step-wise integration or troubleshooting), just configure the "Certificate Token Credential Extractor" instead of the plugin described in this document.