For security reasons you should make sure that the Authorization header has the expected content. You simply should not accept a header that does not start with Bearer if you are expecting it (“Bearer” is a recommendation in the RFC, it is not mandatory) “.
if (authHeader.startsWith("Bearer ")){
token = authHeader.substring(7, authHeader.length);
} else {
//Error
}