diff --git a/lib/handler/redirect-handler.js b/lib/handler/redirect-handler.js
index 368ef520d76..16a7b2150a9 100644
--- a/lib/handler/redirect-handler.js
+++ b/lib/handler/redirect-handler.js
@@ -201,9 +201,9 @@ function shouldRemoveHeader (header, removeContent, unknownOrigin) {
   if (removeContent && util.headerNameToString(header).startsWith('content-')) {
     return true
   }
-  if (unknownOrigin && (header.length === 13 || header.length === 6)) {
+  if (unknownOrigin && (header.length === 13 || header.length === 6 || header.length === 19)) {
     const name = util.headerNameToString(header)
-    return name === 'authorization' || name === 'cookie'
+    return name === 'authorization' || name === 'cookie' || name === 'proxy-authorization'
   }
   return false
 }
diff --git a/test/redirect-cross-origin-header.js b/test/redirect-cross-origin-header.js
new file mode 100644
index 00000000000..451563cadc5
--- /dev/null
+++ b/test/redirect-cross-origin-header.js
@@ -0,0 +1,52 @@
+'use strict'
+
+const { test } = require('node:test')
+const { tspl } = require('@matteo.collina/tspl')
+const { createServer } = require('node:http')
+const { once } = require('node:events')
+const { request } = require('..')
+
+test('Cross-origin redirects clear forbidden headers', async (t) => {
+  const { strictEqual } = tspl(t, { plan: 6 })
+
+  const server1 = createServer((req, res) => {
+    strictEqual(req.headers.cookie, undefined)
+    strictEqual(req.headers.authorization, undefined)
+    strictEqual(req.headers['proxy-authorization'], undefined)
+
+    res.end('redirected')
+  }).listen(0)
+
+  const server2 = createServer((req, res) => {
+    strictEqual(req.headers.authorization, 'test')
+    strictEqual(req.headers.cookie, 'ddd=dddd')
+
+    res.writeHead(302, {
+      ...req.headers,
+      Location: `http://localhost:${server1.address().port}`
+    })
+    res.end()
+  }).listen(0)
+
+  t.after(() => {
+    server1.close()
+    server2.close()
+  })
+
+  await Promise.all([
+    once(server1, 'listening'),
+    once(server2, 'listening')
+  ])
+
+  const res = await request(`http://localhost:${server2.address().port}`, {
+    maxRedirections: 1,
+    headers: {
+      Authorization: 'test',
+      Cookie: 'ddd=dddd',
+      'Proxy-Authorization': 'test'
+    }
+  })
+
+  const text = await res.body.text()
+  strictEqual(text, 'redirected')
+})