diff --git a/service/ccm/credential_external.go b/service/ccm/credential_external.go
index 456ba4fcb..f6560a2e6 100644
--- a/service/ccm/credential_external.go
+++ b/service/ccm/credential_external.go
@@ -236,7 +236,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}
 
 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
diff --git a/service/ccm/credential_state.go b/service/ccm/credential_state.go
index ff64b24bc..fbde0e8ac 100644
--- a/service/ccm/credential_state.go
+++ b/service/ccm/credential_state.go
@@ -674,7 +674,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}
 
 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
diff --git a/service/ccm/service.go b/service/ccm/service.go
index 31b9de8e2..4bd24b176 100644
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -128,6 +128,19 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 const (
 	weeklyWindowSeconds = 604800
 	weeklyWindowMinutes = weeklyWindowSeconds / 60
diff --git a/service/ocm/credential_external.go b/service/ocm/credential_external.go
index 158459079..ca9664f1e 100644
--- a/service/ocm/credential_external.go
+++ b/service/ocm/credential_external.go
@@ -241,7 +241,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}
 
 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
diff --git a/service/ocm/credential_state.go b/service/ocm/credential_state.go
index 547926b87..92745492d 100644
--- a/service/ocm/credential_state.go
+++ b/service/ocm/credential_state.go
@@ -736,7 +736,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}
 
 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
diff --git a/service/ocm/service.go b/service/ocm/service.go
index 1c393716a..74fa776d8 100644
--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -136,6 +136,19 @@ func isHopByHopHeader(header string) bool {
 	}
 }
 
+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 func normalizeRateLimitIdentifier(limitIdentifier string) string {
 	trimmedIdentifier := strings.TrimSpace(strings.ToLower(limitIdentifier))
 	if trimmedIdentifier == "" {
diff --git a/service/ocm/service_websocket.go b/service/ocm/service_websocket.go
index eeb038056..7aa68499c 100644
--- a/service/ocm/service_websocket.go
+++ b/service/ocm/service_websocket.go
@@ -65,7 +65,7 @@ func isForwardableResponseHeader(key string) bool {
 }
 
 func isForwardableWebSocketRequestHeader(key string) bool {
-	if isHopByHopHeader(key) {
+	if isHopByHopHeader(key) || isReverseProxyHeader(key) {
 		return false
 	}