diff --git a/machines/gerd/services/authelia/authelia-nginx.nix b/machines/gerd/services/authelia/authelia-nginx.nix
index b58399a..dce7a9e 100644
--- a/machines/gerd/services/authelia/authelia-nginx.nix
+++ b/machines/gerd/services/authelia/authelia-nginx.nix
@@ -75,9 +75,17 @@ let
     ## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
     error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
   '';
+
+  nginxUnsetAuthHeaders = ''
+    proxy_set_header Remote-User "";
+    proxy_set_header Remote-Groups "";
+    proxy_set_header Remote-Email "";
+    proxy_set_header Remote-Name "";
+  '';
 in {
   mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
-    extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
+    extraConfig = (websiteConfig.extraConfig or "") + "\n" + "include ${autheliaLocation};";
+    locations = lib.mapAttrs (n: v: v // { extraConfig = nginxUnsetAuthHeaders + (v.extraConfig or ""); }) (websiteConfig.locations or {});
   };
 
   mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {