diff --git a/Dockerfile b/Dockerfile
index 299441727536515d8d779efbcdf622c2968108fb..1f5c5d0e83b8db44f1164014f2bcb9ff94352538 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,13 @@
 FROM golang:alpine as go_builder
 
-RUN apk add --no-cache curl git gcc musl-dev
-RUN curl https://glide.sh/get | sh
+RUN apk add --no-cache musl-dev
 
 WORKDIR /go/src/app
 COPY *.go go.* ./
 RUN go mod download
 RUN CGO_ENABLED=false go build -o app .
 
-FROM alpine:3.10
-RUN apk add --no-cache ca-certificates
+FROM gcr.io/distroless/static
 WORKDIR /
 COPY --from=go_builder /go/src/app/app /app
 COPY templates /templates
diff --git a/middleware.go b/middleware.go
index 9b0d0ecd1422f611e0d8b10c1c92c0307a20d548..2ec01419a159370968069bc4365de5628cb4218e 100644
--- a/middleware.go
+++ b/middleware.go
@@ -97,6 +97,21 @@ func (r *oauthProxy) loggingMiddleware(next http.Handler) http.Handler {
 	})
 }
 
+// requestHeaderSanitizingMiddleware is responsible for sanitizing the request headers
+func (r *oauthProxy) requestHeaderSanitizingMiddleware() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			for k := range req.Header {
+				if strings.HasPrefix(strings.ToLower(k), "x-auth") {
+					req.Header.Del(k)
+				}
+			}
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}
+
 // authenticationMiddleware is responsible for verifying the access token
 func (r *oauthProxy) authenticationMiddleware(whitelisted bool) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {