When web browsers transmit Proxy-Authorization credentials to the proxy for sites that do not require proxy-authentication (usually those with authenticate(no) rules), it could result in the Proxy-Authorization data to be transmitted to the Internet. This happen because the proxy will forward the Proxy-Authorization header upstream if it is not authenticating the session.

The following CPL can be applied to prevent the Proxy-Authorization header from being forward beyond the proxy :

<Proxy>
    action.remove_ProxyAuth_header(yes)

define action remove_ProxyAuth_header
    delete( request.header.Proxy-Authorization)
end