diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 2815f2a9d..7b4f10d5d 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -92,8 +92,6 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             # Buffer sizes for large headers with JWTs
             "nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
             "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
-            # Ensure ingress can receive TLS traffic
-            "traefik.ingress.kubernetes.io/router.tls": "true",
         }
         annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
         return annotations
diff --git a/authentik/providers/proxy/controllers/k8s/traefik.py b/authentik/providers/proxy/controllers/k8s/traefik.py
index 7c29b7226..22b7a4f47 100644
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@@ -101,6 +101,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             != reference.spec.forwardAuth.authResponseHeadersRegex
         ):
             raise NeedsUpdate()
+        # Ensure all of our headers are set, others can be added by the user.
+        if not set(current.spec.forwardAuth.authResponseHeaders).issubset(
+            reference.spec.forwardAuth.authResponseHeaders
+        ):
+            raise NeedsUpdate()
 
     def get_reference_object(self) -> TraefikMiddleware:
         """Get deployment object for outpost"""
@@ -115,8 +120,27 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             spec=TraefikMiddlewareSpec(
                 forwardAuth=TraefikMiddlewareSpecForwardAuth(
                     address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
-                    authResponseHeaders=[],
-                    authResponseHeadersRegex="^(Auth|Remote|X|Set).*$",
+                    authResponseHeaders=[
+                        # Legacy headers, remove after 2022.1
+                        "X-Auth-Username",
+                        "X-Auth-Groups",
+                        "X-Forwarded-Email",
+                        "X-Forwarded-Preferred-Username",
+                        "X-Forwarded-User",
+                        # New headers, unique prefix
+                        "X-authentik-username",
+                        "X-authentik-groups",
+                        "X-authentik-email",
+                        "X-authentik-name",
+                        "X-authentik-uid",
+                        "X-authentik-jwt",
+                        "X-authentik-meta-jwks",
+                        "X-authentik-meta-outpost",
+                        "X-authentik-meta-provider",
+                        "X-authentik-meta-app",
+                        "X-authentik-meta-version",
+                    ],
+                    authResponseHeadersRegex="",
                     trustForwardHeader=True,
                 )
             ),