diff --git a/authorize/check_response.go b/authorize/check_response.go
index 79f15624b..251554f5e 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -13,7 +13,6 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
-	"github.com/golang/protobuf/ptypes/wrappers"
 	"github.com/tniswong/go.rfcx/rfc7231"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
@@ -99,7 +98,7 @@ func (a *Authorize) handleResultDenied(
 func (a *Authorize) okResponse(headers http.Header) *envoy_service_auth_v3.CheckResponse {
 	var requestHeaders []*envoy_config_core_v3.HeaderValueOption
 	for k, vs := range headers {
-		requestHeaders = append(requestHeaders, mkHeader(k, strings.Join(vs, ","), false))
+		requestHeaders = append(requestHeaders, mkHeader(k, strings.Join(vs, ",")))
 	}
 	// ensure request headers are sorted by key for deterministic output
 	sort.Slice(requestHeaders, func(i, j int) bool {
@@ -153,7 +152,7 @@ func (a *Authorize) deniedResponse(
 
 	// add any additional headers
 	for k, v := range headers {
-		respHeader = append(respHeader, mkHeader(k, v, false))
+		respHeader = append(respHeader, mkHeader(k, v))
 	}
 
 	return &envoy_service_auth_v3.CheckResponse{
@@ -256,15 +255,13 @@ func (a *Authorize) requireWebAuthnResponse(
 	})
 }
 
-func mkHeader(k, v string, shouldAppend bool) *envoy_config_core_v3.HeaderValueOption {
+func mkHeader(k, v string) *envoy_config_core_v3.HeaderValueOption {
 	return &envoy_config_core_v3.HeaderValueOption{
 		Header: &envoy_config_core_v3.HeaderValue{
 			Key:   k,
 			Value: v,
 		},
-		Append: &wrappers.BoolValue{
-			Value: shouldAppend,
-		},
+		AppendAction: envoy_config_core_v3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
 	}
 }
 
@@ -277,7 +274,7 @@ func toEnvoyHeaders(headers http.Header) []*envoy_config_core_v3.HeaderValueOpti
 
 	envoyHeaders := make([]*envoy_config_core_v3.HeaderValueOption, 0, len(headers))
 	for _, k := range ks {
-		envoyHeaders = append(envoyHeaders, mkHeader(k, headers.Get(k), false))
+		envoyHeaders = append(envoyHeaders, mkHeader(k, headers.Get(k)))
 	}
 	return envoyHeaders
 }
diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go
index 52ec4b9ec..9844ef4fb 100644
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@@ -150,8 +150,8 @@ func TestAuthorize_deniedResponse(t *testing.T) {
 							Code: envoy_type_v3.StatusCode(codes.InvalidArgument),
 						},
 						Headers: []*envoy_config_core_v3.HeaderValueOption{
-							mkHeader("Content-Type", "text/html; charset=UTF-8", false),
-							mkHeader("X-Pomerium-Intercepted-Response", "true", false),
+							mkHeader("Content-Type", "text/html; charset=UTF-8"),
+							mkHeader("X-Pomerium-Intercepted-Response", "true"),
 						},
 						Body: "Access Denied",
 					},
diff --git a/config/envoyconfig/listeners_test.go b/config/envoyconfig/listeners_test.go
index 8b3ae002c..727a4b12f 100644
--- a/config/envoyconfig/listeners_test.go
+++ b/config/envoyconfig/listeners_test.go
@@ -223,21 +223,21 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 						"name": "example.com",
 						"domains": ["example.com"],
 						"responseHeadersToAdd": [{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "Strict-Transport-Security",
 								"value": "max-age=31536000; includeSubDomains; preload"
 							}
 						},
 						{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "X-Frame-Options",
 								"value": "SAMEORIGIN"
 							}
 						},
 						{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "X-XSS-Protection",
 								"value": "1; mode=block"
@@ -364,21 +364,21 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 						"name": "catch-all",
 						"domains": ["*"],
 						"responseHeadersToAdd": [{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "Strict-Transport-Security",
 								"value": "max-age=31536000; includeSubDomains; preload"
 							}
 						},
 						{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "X-Frame-Options",
 								"value": "SAMEORIGIN"
 							}
 						},
 						{
-							"append": false,
+							"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 							"header": {
 								"key": "X-XSS-Protection",
 								"value": "1; mode=block"
@@ -521,21 +521,21 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 						},
 						"headersToAdd":[
 							{
-								"append":false,
+								"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 								"header":{
 									"key":"Strict-Transport-Security",
 									"value":"max-age=31536000; includeSubDomains; preload"
 								}
 							},
 							{
-								"append":false,
+								"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 								"header":{
 									"key":"X-Frame-Options",
 									"value":"SAMEORIGIN"
 								}
 							},
 							{
-								"append":false,
+								"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 								"header":{
 									"key":"X-XSS-Protection",
 									"value":"1; mode=block"
diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go
index 182733036..02b4c0251 100644
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@@ -222,7 +222,7 @@ func (b *Builder) buildPolicyRoutes(options *config.Options, domain string) ([]*
 							Key:   hdr[0],
 							Value: hdr[1],
 						},
-						Append: wrapperspb.Bool(false),
+						AppendAction: envoy_config_core_v3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
 					})
 			}
 		}
@@ -343,7 +343,7 @@ func mkEnvoyHeader(k, v string) *envoy_config_core_v3.HeaderValueOption {
 			Key:   k,
 			Value: v,
 		},
-		Append: &wrappers.BoolValue{Value: false},
+		AppendAction: envoy_config_core_v3.HeaderValueOption_OVERWRITE_IF_EXISTS_OR_ADD,
 	}
 }
 
diff --git a/config/envoyconfig/routes_test.go b/config/envoyconfig/routes_test.go
index 80d8b1103..7604af6f6 100644
--- a/config/envoyconfig/routes_test.go
+++ b/config/envoyconfig/routes_test.go
@@ -485,7 +485,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
 					]
 				},
 				"requestHeadersToAdd": [{
-					"append": false,
+					"appendAction": "OVERWRITE_IF_EXISTS_OR_ADD",
 					"header": {
 						"key": "HEADER-KEY",
 						"value": "HEADER-VALUE"
diff --git a/scripts/get-envoy.bash b/scripts/get-envoy.bash
index aacaa5800..d993bdbb5 100755
--- a/scripts/get-envoy.bash
+++ b/scripts/get-envoy.bash
@@ -5,7 +5,7 @@ PATH="$PATH:$(go env GOPATH)/bin"
 export PATH
 
 _project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.."
-_envoy_version=1.23.2
+_envoy_version=1.24.0
 _dir="$_project_root/pkg/envoy/files"
 _target="${TARGET:-"$(go env GOOS)-$(go env GOARCH)"}"