Yeah but even worse than generic L7 (usually being http). The mitigation *has* to be deferred to the application server (or custom mitm proxies). The old school forms of http-level protections are mostly useless.