From a845fe30f994d203ecc156896d9f6e241251290a Mon Sep 17 00:00:00 2001
From: Fletcher Dares <fletcher.dares@shopify.com>
Date: Wed, 13 May 2026 18:46:50 -0400
Subject: [PATCH 1/2] Strip proxy authorization by default

---
 lib/falcon/middleware/proxy.rb  |  1 +
 test/falcon/middleware/proxy.rb | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/lib/falcon/middleware/proxy.rb b/lib/falcon/middleware/proxy.rb
index 88bff21..c451e7c 100644
--- a/lib/falcon/middleware/proxy.rb
+++ b/lib/falcon/middleware/proxy.rb
@@ -43,6 +43,7 @@ class Proxy < Protocol::HTTP::Middleware
 				"keep-alive",
 				"public",
 				"proxy-authenticate",
+				"proxy-authorization",
 				"transfer-encoding",
 				"upgrade",
 			]
diff --git a/test/falcon/middleware/proxy.rb b/test/falcon/middleware/proxy.rb
index 6c33cf0..d9ecb51 100644
--- a/test/falcon/middleware/proxy.rb
+++ b/test/falcon/middleware/proxy.rb
@@ -26,6 +26,16 @@ def proxy_for(**options)
 	
 	let(:headers) {Protocol::HTTP::Headers["accept" => "*/*"]}
 	
+	it "removes proxy authorization by default" do
+		headers = Protocol::HTTP::Headers[
+			"authorization" => "Bearer application",
+			"proxy-authorization" => "Basic proxy",
+		]
+		proxy.prepare_headers(headers)
+		expect(headers["authorization"]).to be == "Bearer application"
+		expect(headers["proxy-authorization"]).to be == nil
+	end
+	
 	it "can select client based on authority" do
 		request = Protocol::HTTP::Request.new("https", "www.google.com", "GET", "/", nil, headers, nil)
 		

From 4a68d473f88a2a9e258b7b737eaca458f9445dfd Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@shopify.com>
Date: Thu, 14 May 2026 09:01:23 +0900
Subject: [PATCH 2/2] Apply suggestion from @samuel-williams-shopify

---
 test/falcon/middleware/proxy.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/falcon/middleware/proxy.rb b/test/falcon/middleware/proxy.rb
index d9ecb51..b2eab39 100644
--- a/test/falcon/middleware/proxy.rb
+++ b/test/falcon/middleware/proxy.rb
@@ -33,7 +33,7 @@ def proxy_for(**options)
 		]
 		proxy.prepare_headers(headers)
 		expect(headers["authorization"]).to be == "Bearer application"
-		expect(headers["proxy-authorization"]).to be == nil
+		expect(headers["proxy-authorization"]).to be_nil
 	end
 	
 	it "can select client based on authority" do