diff --git a/access.lua b/access.lua
index 18aa0a8..74cc709 100644
--- a/access.lua
+++ b/access.lua
@@ -333,7 +333,11 @@ if hlp.has_access(permission) then
         -- add it to the response
         if permission["auth_header"] then
             hlp.set_headers()
+        else
+            hlp.clear_headers()
         end
+    else
+        hlp.clear_headers()
     end
 
     return hlp.pass()
diff --git a/helpers.lua b/helpers.lua
index f5318a5..2bd4c13 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -414,6 +414,16 @@ function set_headers(user)
 
 end
 
+-- Removes the authentication headers. Call me when:
+--   - app is public and user is not authenticated
+--   - app requests that no authentication headers be sent
+-- Prevents user from pretending to be someone else on public apps
+function clear_headers()
+    ngx.req.clear_header("Authorization")
+    for k, v in pairs(conf["additional_headers"]) do
+        ngx.req.clear_header(k)
+    end
+end
 
 function refresh_user_cache(user)
     -- We definitely don't want to pass credentials on a non-encrypted