diff --git a/internal/webdevice/proxy.go b/internal/webdevice/proxy.go
index 696e22e..53456d9 100644
--- a/internal/webdevice/proxy.go
+++ b/internal/webdevice/proxy.go
@@ -151,10 +151,12 @@ func shouldRetryProxyRequest(req *http.Request, err error) bool {
 }
 
 func sanitizeProxyRequestHeader(source http.Header, upstreamPath string) http.Header {
-	header := make(http.Header)
-	copyHeaderValue(header, source, "Accept")
-	copyHeaderValue(header, source, "Content-Type")
-	copyHeaderValue(header, source, "Authorization")
+	header := source.Clone()
+	for key := range header {
+		if isProxyManagedHeader(key) {
+			header.Del(key)
+		}
+	}
 
 	userAgent := strings.TrimSpace(source.Get("User-Agent"))
 	if userAgent == "" {
@@ -164,17 +166,32 @@ func sanitizeProxyRequestHeader(source http.Header, upstreamPath string) http.He
 	header.Set("Connection", "close")
 
 	if !isLoginPagePath(upstreamPath) {
-		copyHeaderValue(header, source, "Cookie")
+		return header
 	}
+	header.Del("Cookie")
+	header.Del("Referer")
 	return header
 }
 
-func copyHeaderValue(target, source http.Header, key string) {
-	if value := source.Values(key); len(value) > 0 {
-		target.Del(key)
-		for _, item := range value {
-			target.Add(key, item)
-		}
+func isProxyManagedHeader(key string) bool {
+	switch http.CanonicalHeaderKey(key) {
+	case "Connection",
+		"Proxy-Connection",
+		"Keep-Alive",
+		"Transfer-Encoding",
+		"Upgrade",
+		"Te",
+		"Trailer",
+		"Proxy-Authenticate",
+		"Proxy-Authorization",
+		"Forwarded",
+		"X-Forwarded-For",
+		"X-Forwarded-Host",
+		"X-Forwarded-Proto",
+		"X-Real-Ip":
+		return true
+	default:
+		return false
 	}
 }
 
diff --git a/internal/webdevice/proxy_test.go b/internal/webdevice/proxy_test.go
index fe454d1..f8954e3 100644
--- a/internal/webdevice/proxy_test.go
+++ b/internal/webdevice/proxy_test.go
@@ -135,6 +135,8 @@ func TestSanitizeProxyRequestHeaderDropsLoginCookie(t *testing.T) {
 	source.Set("User-Agent", "browser")
 	source.Set("Cookie", "SID=1")
 	source.Set("Referer", "http://10.8.0.18:13000/proxy/web/192.168.0.108/")
+	source.Set("Sessiontag", "abc123")
+	source.Set("If-Modified-Since", "0")
 	source.Set("X-Forwarded-For", "10.8.0.1")
 
 	loginHeader := sanitizeProxyRequestHeader(source, "/doc/page/login.asp")
@@ -147,9 +149,18 @@ func TestSanitizeProxyRequestHeaderDropsLoginCookie(t *testing.T) {
 	if got := loginHeader.Get("X-Forwarded-For"); got != "" {
 		t.Fatalf("login X-Forwarded-For = %q, want empty", got)
 	}
+	if got := loginHeader.Get("Sessiontag"); got != "abc123" {
+		t.Fatalf("login Sessiontag = %q, want abc123", got)
+	}
 
 	apiHeader := sanitizeProxyRequestHeader(source, "/ISAPI/Security/userCheck")
 	if got := apiHeader.Get("Cookie"); got != "SID=1" {
 		t.Fatalf("api Cookie = %q, want SID=1", got)
 	}
+	if got := apiHeader.Get("Sessiontag"); got != "abc123" {
+		t.Fatalf("api Sessiontag = %q, want abc123", got)
+	}
+	if got := apiHeader.Get("If-Modified-Since"); got != "0" {
+		t.Fatalf("api If-Modified-Since = %q, want 0", got)
+	}
 }