I was issuing /ping whereas /ping and /sping are reserved endpoints for api gateway, thus always anwsering with healthy...

Attacking any other endpoint works good, segregating by certs and allowing/denying if a cert comes from trusted CA.