diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst
index 3fc413be0f7..a36a72ed888 100755
--- a/install_files/securedrop-app-code/DEBIAN/postinst
+++ b/install_files/securedrop-app-code/DEBIAN/postinst
@@ -63,6 +63,19 @@ database_migration() {
     fi
 }
 
+# Supports passing authorization headers for the SecureDrop API.
+# Only affects the Journalist Interface. Required for unattended upgrade
+# to v0.9.0.
+function permit_wsgi_authorization() {
+    journalist_conf="/etc/apache2/sites-available/journalist.conf"
+    # First we check whether the line is present.
+    # Next we find a target line to anchor the insertion.
+    # Then we insert the line, along with the target line that was matched.
+    if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then
+        perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf"
+    fi
+}
+
 case "$1" in
     configure)
     # Ensure SecureDrop's necessary directories are created
@@ -99,6 +112,9 @@ case "$1" in
     aa-enforce /etc/apparmor.d/usr.sbin.tor
     aa-enforce /etc/apparmor.d/usr.sbin.apache2
 
+    # Munge Apache config while service is stopped.
+    permit_wsgi_authorization
+
     # Restart apache so it loads with the apparmor profiles in enforce mode.
     service apache2 restart