diff --git a/authorize/check_response.go b/authorize/check_response.go
index 4bbaf5c27..fbcc9b0c9 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -154,15 +154,15 @@ func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) *en
 
 func getKubernetesHeaders(reply *evaluator.Result) []*envoy_api_v2_core.HeaderValueOption {
 	var requestHeaders []*envoy_api_v2_core.HeaderValueOption
-	if reply.MatchingPolicy != nil && reply.MatchingPolicy.KubernetesServiceAccountToken != "" {
+	if reply.MatchingPolicy != nil && (reply.MatchingPolicy.KubernetesServiceAccountTokenFile != "" || reply.MatchingPolicy.KubernetesServiceAccountToken != "") {
 		requestHeaders = append(requestHeaders,
 			mkHeader("Authorization", "Bearer "+reply.MatchingPolicy.KubernetesServiceAccountToken, false))
 
 		if reply.UserEmail != "" {
 			requestHeaders = append(requestHeaders, mkHeader("Impersonate-User", reply.UserEmail, false))
 		}
-		for _, group := range reply.UserGroups {
-			requestHeaders = append(requestHeaders, mkHeader("Impersonate-Group", group, true))
+		for i, group := range reply.UserGroups {
+			requestHeaders = append(requestHeaders, mkHeader("Impersonate-Group", group, i > 0))
 		}
 	}
 	return requestHeaders
diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go
index 41654156d..7fa25f593 100644
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@@ -142,7 +142,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 							mkHeader("x-pomerium-jwt-assertion", "valid-signed-jwt", false),
 							mkHeader("Authorization", "Bearer k8s-svc-account", false),
 							mkHeader("Impersonate-User", "foo@example.com", false),
-							mkHeader("Impersonate-Group", "admin", true),
+							mkHeader("Impersonate-Group", "admin", false),
 							mkHeader("Impersonate-Group", "test", true),
 						},
 					},
diff --git a/internal/controlplane/luascripts/remove-impersonate-headers.lua b/internal/controlplane/luascripts/remove-impersonate-headers.lua
new file mode 100644
index 000000000..d963de1ab
--- /dev/null
+++ b/internal/controlplane/luascripts/remove-impersonate-headers.lua
@@ -0,0 +1,25 @@
+local function starts_with(str, start)
+    return str:sub(1, #start) == start
+end
+
+function envoy_on_request(request_handle)
+    local headers = request_handle:headers()
+    local metadata = request_handle:metadata()
+
+    local remove_impersonate_headers = metadata:get("remove_impersonate_headers")
+    if remove_impersonate_headers then
+        local to_remove = {}
+        for k, v in pairs(headers) do
+            if starts_with(k, "impersonate-extra-") or k == "impersonate-group" or k == "impersonate-user" then
+                table.insert(to_remove, k)
+            end
+        end
+
+        for k, v in pairs(to_remove) do
+            headers:remove(v)
+        end
+    end
+end
+
+function envoy_on_response(response_handle)
+end
diff --git a/internal/controlplane/luascripts/statik.go b/internal/controlplane/luascripts/statik.go
index 72cd7d859..4696b00fc 100644
--- a/internal/controlplane/luascripts/statik.go
+++ b/internal/controlplane/luascripts/statik.go
@@ -9,6 +9,6 @@ import (
 const Luascripts = "luascripts" // static asset namespace
 
 func init() {
-	data := "PK\x03\x04\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00	\x00clean-upstream.luaUT\x05\x00\x01P\xfb\xce^\x94S\xc1n\x9c0\x10\xbd\xf3\x15O\xf4PV%\x91z\xdd\xc8\xff\xd0{\xd5\"\x17f\x17\xab`\xbb\xf68\x9b\xe4\xd0o\xaf\x00\xc3\xe2\x00\xaa\xe2\x03\x1e\xcb\xf3\xde<\xde\x8c/A\xd7\xac\x8c\x86\xa3\xde<SeMON\x85\xbe\xaa\x8d\xf9\xad\xa8\x98\xb6J\xcb\x9eJL\x87S\x06\x00\x0f\x0f\xe8\x82Dc\xc8\xeb\xcf\x0c\x1f\xac5\x8ea\xec\xc0&;\xd4\xd2rp\x84\xab3\xc1\xfa\x19\xe2\x0dn\x04G\xb6\x935\x81oj\xf8\x1a\xb4R7\x1da..^^\xdf \x19\xdc\x12H70\x971\xf4\xec\x94\xbe\x8eT\x93\x12\x88\x18\x9c\xaf>\xfcZk\xc5\xe3#r\xf1\xfd\xe7\xd3\x8f/O\xc8K\xe4\xf9\xe9\xa3\xb8\x15\xca\x11\x07\xa7#&#\xddd\xd9\xe2[+}e\x1d]\xd4K\xe1\xd9\x95\x98\xe2\x04\xe7\xd9\xe1\xaf\x80V\x1d\xa4n\x86\xe3y(\xfb\xb5\xc4\xa7\x98\x0d!\"\xf0\x1d;\xe9g\xf3Z\x19]9\xfa\x13\xc8s\x11\xf7jrl*\xd3\x99ZvhI6\xe4<\x04\xd2\x9cs\xbc(\xd6\xc9=\xb1l$\xcbm\xf6|S\x9c\xb2U~\x9c\x8e\xb5Sb!9_\x89\x8b|\x7f\x80\xa2\x83\xea\xb2G\xc1-\xe9\xf1\xfa^hiPT=q'\\\x91/fFc\x13\xaaai\xba-\\\x07\xb3\xbdU\x94\x8e\xf8\xbcf)ql\x179\xe5\xbd\xc8\x1d0\xf4o\xde\xb7\x06\xca\xc0\xadq\xeaM\x8e\xdd\xfd\x9f\x85I\xf6\xc6\xc9\x94k\xc7\xcb\xf7\xc5\x12K\xf7\xb8\x0f\xa0q\xbe!\x90\x7f\x8b\xd2\x90\xaf[\xb1z\x03	\xb0\xdc\xe59m\x9buwx\xf8\xb3cqks\x0f\x1f\x8a\xb7F\xfb\xa1\xbbS\xb0<\x95\x11\xf1/\x00\x00\xff\xffPK\x07\x08\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00	\x00ext-authz-set-cookie.luaUT\x05\x00\x01P\xfb\xce^\x8c\x91An\x830\x10E\xf7\x9cb\xc4\xcaHI\x0e\x80\x94\x03t\xd1\x13T\x955\xc5C\xb0j\x8fS{\x88\x9aM\xcf^AM\x04\x0dM\x19	\x01\xe2\xff?\xf8\xbf\xb6\xe7Fl` \xbe\x84\xab\x0e\xac#}\xf4\x94D\xe5\xbb\xee\x90\x8d\xa3\xaa\x00\x00p\xa1A\x07\x1d\xa1\xa1\x98\xe0\x08KM\x9d?\xa8\xb9\xd8\\\x19\xbdm\xb4'\xc1{G\x92H\xe8\x9f\xb8\x0d\xaa\xaa\xb3\xf4\x99\x04\x0d\n\xe6\x18\xdbN\x0b\xeb\x13\x89*?\xf7\xe7\xe0)\xda\xde\xef\x13\xc9\xbe	\xe1\xddRY\xc1\xd7\x11\xd8:\x90\x8ex\xf4\x0d3_^\xa7\xc1=\x1e\xf3\xd0Z'\x14\xd3\xa1\x139\x1f\\\x8f\xe5\x0e\xca)U'\x12\x9dSw\xb7\xa4\xbb\xd9\xf2OU\xf1[\x1d\xc9\x87\x0b\xfdi\x18\xf5\xc4\xa6\x18\xaeb\x8dM:\x07N\xa4\xa6\x87\x7f\xe8,D\xdb\xf0,-\x1b\xf8\xfc\xe4\xc8\x9b\x83\xe3\xb2\xef\xd3\x83\xbeoh\x07_&\x87l\x86\xd7\x97U\x12\xaf\xab|\xa7Z\xd1\x18U\xce\x8a\xdc=\x08Z\x96\xfc\x1d\x00\x00\xff\xffPK\x07\x08\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00\x12\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00clean-upstream.luaUT\x05\x00\x01P\xfb\xce^PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00\x18\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xeb\x01\x00\x00ext-authz-set-cookie.luaUT\x05\x00\x01P\xfb\xce^PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\x98\x00\x00\x00A\x03\x00\x00\x00\x00"
+	data := "PK\x03\x04\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12\x00	\x00clean-upstream.luaUT\x05\x00\x01P\xfb\xce^\x94S\xc1n\x9c0\x10\xbd\xf3\x15O\xf4PV%\x91z\xdd\xc8\xff\xd0{\xd5\"\x17f\x17\xab`\xbb\xf68\x9b\xe4\xd0o\xaf\x00\xc3\xe2\x00\xaa\xe2\x03\x1e\xcb\xf3\xde<\xde\x8c/A\xd7\xac\x8c\x86\xa3\xde<SeMON\x85\xbe\xaa\x8d\xf9\xad\xa8\x98\xb6J\xcb\x9eJL\x87S\x06\x00\x0f\x0f\xe8\x82Dc\xc8\xeb\xcf\x0c\x1f\xac5\x8ea\xec\xc0&;\xd4\xd2rp\x84\xab3\xc1\xfa\x19\xe2\x0dn\x04G\xb6\x935\x81oj\xf8\x1a\xb4R7\x1da..^^\xdf \x19\xdc\x12H70\x971\xf4\xec\x94\xbe\x8eT\x93\x12\x88\x18\x9c\xaf>\xfcZk\xc5\xe3#r\xf1\xfd\xe7\xd3\x8f/O\xc8K\xe4\xf9\xe9\xa3\xb8\x15\xca\x11\x07\xa7#&#\xddd\xd9\xe2[+}e\x1d]\xd4K\xe1\xd9\x95\x98\xe2\x04\xe7\xd9\xe1\xaf\x80V\x1d\xa4n\x86\xe3y(\xfb\xb5\xc4\xa7\x98\x0d!\"\xf0\x1d;\xe9g\xf3Z\x19]9\xfa\x13\xc8s\x11\xf7jrl*\xd3\x99ZvhI6\xe4<\x04\xd2\x9cs\xbc(\xd6\xc9=\xb1l$\xcbm\xf6|S\x9c\xb2U~\x9c\x8e\xb5Sb!9_\x89\x8b|\x7f\x80\xa2\x83\xea\xb2G\xc1-\xe9\xf1\xfa^hiPT=q'\\\x91/fFc\x13\xaaai\xba-\\\x07\xb3\xbdU\x94\x8e\xf8\xbcf)ql\x179\xe5\xbd\xc8\x1d0\xf4o\xde\xb7\x06\xca\xc0\xadq\xeaM\x8e\xdd\xfd\x9f\x85I\xf6\xc6\xc9\x94k\xc7\xcb\xf7\xc5\x12K\xf7\xb8\x0f\xa0q\xbe!\x90\x7f\x8b\xd2\x90\xaf[\xb1z\x03	\xb0\xdc\xe59m\x9buwx\xf8\xb3cqks\x0f\x1f\x8a\xb7F\xfb\xa1\xbbS\xb0<\x95\x11\xf1/\x00\x00\xff\xffPK\x07\x08\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\x00	\x00ext-authz-set-cookie.luaUT\x05\x00\x01P\xfb\xce^\x8c\x91An\x830\x10E\xf7\x9cb\xc4\xcaHI\x0e\x80\x94\x03t\xd1\x13T\x955\xc5C\xb0j\x8fS{\x88\x9aM\xcf^AM\x04\x0dM\x19	\x01\xe2\xff?\xf8\xbf\xb6\xe7Fl` \xbe\x84\xab\x0e\xac#}\xf4\x94D\xe5\xbb\xee\x90\x8d\xa3\xaa\x00\x00p\xa1A\x07\x1d\xa1\xa1\x98\xe0\x08KM\x9d?\xa8\xb9\xd8\\\x19\xbdm\xb4'\xc1{G\x92H\xe8\x9f\xb8\x0d\xaa\xaa\xb3\xf4\x99\x04\x0d\n\xe6\x18\xdbN\x0b\xeb\x13\x89*?\xf7\xe7\xe0)\xda\xde\xef\x13\xc9\xbe	\xe1\xddRY\xc1\xd7\x11\xd8:\x90\x8ex\xf4\x0d3_^\xa7\xc1=\x1e\xf3\xd0Z'\x14\xd3\xa1\x139\x1f\\\x8f\xe5\x0e\xca)U'\x12\x9dSw\xb7\xa4\xbb\xd9\xf2OU\xf1[\x1d\xc9\x87\x0b\xfdi\x18\xf5\xc4\xa6\x18\xaeb\x8dM:\x07N\xa4\xa6\x87\x7f\xe8,D\xdb\xf0,-\x1b\xf8\xfc\xe4\xc8\x9b\x83\xe3\xb2\xef\xd3\x83\xbeoh\x07_&\x87l\x86\xd7\x97U\x12\xaf\xab|\xa7Z\xd1\x18U\xce\x8a\xdc=\x08Z\x96\xfc\x1d\x00\x00\xff\xffPK\x07\x08\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00\xd7\xa5)Q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00	\x00remove-impersonate-headers.luaUT\x05\x00\x016?Y_|\x92\xd1n\xb30\x0c\x85\xefy\n\x8b\xff&H\xf4\x97v\x8b\xc4\xb3DiqKTH\x98\xed\xb0M\xd3\xde}\xca\x02)\xack\xb9I\xc4\xf9|\xec#g\xf0'3\xc09\xb8\x93X\xef\x80\xc5\x90\xb0~\xb3\xd2+\x16\xaa\xd3\x8f\xaa\x00\x00 \x94@\x11\xa1\x86\xc3Q\xbd\xd4\xf0/\xa9\xd0\xb6\x89+\xd0uE\x91\xcd\xd0\xcd\xfeC{\xa7	_\x03\xb2\xa8\xe5\xd4\xbdq\xdd\x80\xc95\x0d\xd0\xa3\xe9\x90\x18Z\xd83\xcd\"\xa8-<\xa2\x98\xce\x88\xb9\xa7WEU\xc5\x86'\x1c\xfd\x8c\xda\x8e\x13\x12{g\x04\xf5\xad\xdfZ\xd2\\PT\xf9\x18-\xd3\x04\xf6\xfc\xccNzt?\xd8\xad\xb9x\x9d\n\xa0\x85\xcf\xaf,\x9e=\xc1\xb5\x86\x19\xac\x83\xc9Xb\xb5xT\xd0\xf9L-\x1d\xb7[\xb9\xd6PnZ\x1f\xf0]\xc8\x1c\xca\n\xa2a\xdc\xc4N\xbd\x90\x0fS\xf9\xb7\x16\x18\xa9\xdc\x8f\xbc~b\x8e\x03\xfe\xb7\x8e\x91D\xe5\x045\\\xab\x1d\x1a\xd7\xbd\xbd?I\x97M\xee\xf2-\xb9\x9b$\xab\xb9*~\xdb\xc7\xf3\xe1\xcb\xe2\xc9;F\xb5^\xf2\xdb\x8a\x05\xdf\x01\x00\x00\xff\xffPK\x07\x08y\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\xfb\x06j<\xa2\x01\x00\x00\xf0\x04\x00\x00\x12\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00clean-upstream.luaUT\x05\x00\x01P\xfb\xce^PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x88\xbd\xbbP\x93\xe7\xad\x94\x07\x01\x00\x00\x00\x03\x00\x00\x18\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\xeb\x01\x00\x00ext-authz-set-cookie.luaUT\x05\x00\x01P\xfb\xce^PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\xd7\xa5)Qy\x19$\xa3\x1b\x01\x00\x00\xdd\x02\x00\x00\x1e\x00	\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81A\x03\x00\x00remove-impersonate-headers.luaUT\x05\x00\x016?Y_PK\x05\x06\x00\x00\x00\x00\x03\x00\x03\x00\xed\x00\x00\x00\xb1\x04\x00\x00\x00\x00"
 	fs.RegisterWithNamespace("luascripts", data)
 }
diff --git a/internal/controlplane/xds_listeners.go b/internal/controlplane/xds_listeners.go
index 73eed0da4..83c9464b5 100644
--- a/internal/controlplane/xds_listeners.go
+++ b/internal/controlplane/xds_listeners.go
@@ -184,6 +184,9 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 	cleanUpstreamLua, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
 		InlineCode: luascripts.CleanUpstream,
 	})
+	removeImpersonateHeadersLua, _ := ptypes.MarshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
+		InlineCode: luascripts.RemoveImpersonateHeaders,
+	})
 
 	var maxStreamDuration *durationpb.Duration
 	if options.WriteTimeout > 0 {
@@ -197,6 +200,12 @@ func buildMainHTTPConnectionManagerFilter(options *config.Options, domains []str
 			RouteConfig: buildRouteConfiguration("main", virtualHosts),
 		},
 		HttpFilters: []*envoy_http_connection_manager.HttpFilter{
+			{
+				Name: "envoy.filters.http.lua",
+				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
+					TypedConfig: removeImpersonateHeadersLua,
+				},
+			},
 			{
 				Name: "envoy.filters.http.ext_authz",
 				ConfigType: &envoy_http_connection_manager.HttpFilter_TypedConfig{
diff --git a/internal/controlplane/xds_listeners_test.go b/internal/controlplane/xds_listeners_test.go
index ee5aa86c7..9d6f351ff 100644
--- a/internal/controlplane/xds_listeners_test.go
+++ b/internal/controlplane/xds_listeners_test.go
@@ -44,6 +44,13 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 				"idleTimeout": "300s"
 			},
 			"httpFilters": [
+				{
+					"name": "envoy.filters.http.lua",
+					"typedConfig": {
+						"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
+						"inlineCode": "local function starts_with(str, start)\n    return str:sub(1, #start) == start\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_impersonate_headers = metadata:get(\"remove_impersonate_headers\")\n    if remove_impersonate_headers then\n        local to_remove = {}\n        for k, v in pairs(headers) do\n            if starts_with(k, \"impersonate-extra-\") or k == \"impersonate-group\" or k == \"impersonate-user\" then\n                table.insert(to_remove, k)\n            end\n        end\n\n        for k, v in pairs(to_remove) do\n            headers:remove(v)\n        end\n    end\nend\n\nfunction envoy_on_response(response_handle)\nend\n"
+					}
+				},
 				{
 					"name": "envoy.filters.http.ext_authz",
 					"typedConfig": {
diff --git a/internal/controlplane/xds_lua.go b/internal/controlplane/xds_lua.go
index 7e642a391..852c86d0b 100644
--- a/internal/controlplane/xds_lua.go
+++ b/internal/controlplane/xds_lua.go
@@ -13,8 +13,9 @@ import (
 //go:generate go fmt ./luascripts/statik.go
 
 var luascripts struct {
-	ExtAuthzSetCookie string
-	CleanUpstream     string
+	ExtAuthzSetCookie        string
+	CleanUpstream            string
+	RemoveImpersonateHeaders string
 }
 
 func init() {
@@ -24,8 +25,9 @@ func init() {
 	}
 
 	fileToField := map[string]*string{
-		"/clean-upstream.lua":       &luascripts.CleanUpstream,
-		"/ext-authz-set-cookie.lua": &luascripts.ExtAuthzSetCookie,
+		"/clean-upstream.lua":             &luascripts.CleanUpstream,
+		"/ext-authz-set-cookie.lua":       &luascripts.ExtAuthzSetCookie,
+		"/remove-impersonate-headers.lua": &luascripts.RemoveImpersonateHeaders,
 	}
 
 	err = fs.Walk(hfs, "/", func(p string, fi os.FileInfo, err error) error {
diff --git a/internal/controlplane/xds_routes.go b/internal/controlplane/xds_routes.go
index 4722d0105..33bfaea3a 100644
--- a/internal/controlplane/xds_routes.go
+++ b/internal/controlplane/xds_routes.go
@@ -139,6 +139,11 @@ func buildPolicyRoutes(options *config.Options, domain string) []*envoy_config_r
 									BoolValue: true,
 								},
 							},
+							"remove_impersonate_headers": {
+								Kind: &structpb.Value_BoolValue{
+									BoolValue: policy.KubernetesServiceAccountTokenFile != "" || policy.KubernetesServiceAccountToken != "",
+								},
+							},
 						},
 					},
 				},
diff --git a/internal/controlplane/xds_routes_test.go b/internal/controlplane/xds_routes_test.go
index 7f61b3588..81ee41f3b 100644
--- a/internal/controlplane/xds_routes_test.go
+++ b/internal/controlplane/xds_routes_test.go
@@ -253,6 +253,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -276,6 +277,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -299,6 +301,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -332,6 +335,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -355,6 +359,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -379,6 +384,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -402,6 +408,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -425,6 +432,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -473,6 +481,7 @@ func TestAddOptionsHeadersToResponse(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -539,6 +548,7 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -563,6 +573,7 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}
@@ -587,6 +598,7 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
 				"metadata": {
 					"filterMetadata": {
 						"envoy.filters.http.lua": {
+							"remove_impersonate_headers": false,
 							"remove_pomerium_authorization": true,
 							"remove_pomerium_cookie": "pomerium"
 						}