diff --git a/Documentation/authproxy.md b/Documentation/authproxy.md
index 10ff198079a28339b284aa0cc9756bd35ceac621..c0771856995568baea8325c71302df15a4a93158 100644
--- a/Documentation/authproxy.md
+++ b/Documentation/authproxy.md
@@ -25,6 +25,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
 configuration will work for Apache 2.4.10+:
 
 ```
+<Location /dex/>
+    ProxyPass "http://localhost:5556/dex/"
+    ProxyPassReverse "http://localhost:5556/dex/"
+
+    # Strip the X-Remote-User header from all requests except for the ones
+    # where we override it.
+    RequestHeader unset X-Remote-User
+</Location>
+
 <Location /dex/callback/myBasicAuth>
     AuthType Basic
     AuthName "db.debian.org webPassword"
@@ -62,6 +71,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
     <Location /dex/>
         ProxyPass "http://localhost:5556/dex/"
         ProxyPassReverse "http://localhost:5556/dex/"
+
+        # Strip the X-Remote-User header from all requests except for the ones
+        # where we override it.
+        RequestHeader unset X-Remote-User
     </Location>
 
     <Location /dex/callback/myBasicAuth>
diff --git a/server/server.go b/server/server.go
index d1e1ff56da6dd345f92071839aa41266232308c3..65de3b834c0253d35946a5e92def8d62f5ba7003 100644
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	handleWithCORS("/keys", s.handlePublicKeys)
 	handleFunc("/auth", s.handleAuthorization)
 	handleFunc("/auth/{connector}", s.handleConnectorLogin)
-	handleFunc("/callback", s.handleConnectorCallback)
+	r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
+		// Strip the X-Remote-* headers to prevent security issues on
+		// misconfigured authproxy connector setups.
+		for key := range r.Header {
+			if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
+				r.Header.Del(key)
+			}
+		}
+		s.handleConnectorCallback(w, r)
+	})
 	// For easier connector-specific web server configuration, e.g. for the
 	// "authproxy" connector.
 	handleFunc("/callback/{connector}", s.handleConnectorCallback)