diff --git a/pipeline/authn/authenticator_bearer_token.go b/pipeline/authn/authenticator_bearer_token.go
index d6a81d63c1..79e5ae88ef 100644
--- a/pipeline/authn/authenticator_bearer_token.go
+++ b/pipeline/authn/authenticator_bearer_token.go
@@ -86,9 +86,9 @@ func (a *AuthenticatorBearerToken) Config(config json.RawMessage) (*Authenticato
 	if len(c.SubjectFrom) == 0 {
 		c.SubjectFrom = "sub"
 	}
-	if len(c.ForwardHTTPHeaders) == 0 {
-		c.ForwardHTTPHeaders = []string{header.Authorization, header.Cookie}
-	}
+
+	// Add Authorization and Cookie headers for backward compatibility
+	c.ForwardHTTPHeaders = append(c.ForwardHTTPHeaders, []string{header.Authorization, header.Cookie}...)
 	c.ForwardHTTPHeadersMap = make(map[string]string)
 
 	for _, h := range c.ForwardHTTPHeaders {
diff --git a/pipeline/authn/authenticator_bearer_token_test.go b/pipeline/authn/authenticator_bearer_token_test.go
index 2a3f3d5d22..af4e997fc9 100644
--- a/pipeline/authn/authenticator_bearer_token_test.go
+++ b/pipeline/authn/authenticator_bearer_token_test.go
@@ -96,7 +96,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_query": true, "forward_http_headers": ["Authorization"]}`),
+				config:    []byte(`{"preserve_query": true}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -113,7 +113,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "preserve_query": false, "forward_http_headers": ["Authorization"]}`),
+				config:    []byte(`{"preserve_path": true, "preserve_query": false}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -128,7 +128,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "force_method": "GET", "forward_http_headers": ["Authorization"]}`),
+				config:    []byte(`{"preserve_path": true, "force_method": "GET"}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -145,7 +145,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": false, "preserve_query": true, "forward_http_headers": ["Authorization"]}`),
+				config:    []byte(`{"preserve_path": false, "preserve_query": true}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -160,7 +160,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "preserve_query": true, "check_session_url": "http://origin-replaced-in-test/configured/path?q=configured-query", "forward_http_headers": ["Authorization", "X-Forwared-Host"]}`),
+				config:    []byte(`{"preserve_path": true, "preserve_query": true, "check_session_url": "http://origin-replaced-in-test/configured/path?q=configured-query", "forward_http_headers": ["X-Forwared-Host"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -176,7 +176,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_host": true, "forward_http_headers": ["Authorization"]}`),
+				config:    []byte(`{"preserve_host": true}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -193,7 +193,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_host": true, "additional_headers": {"X-Foo": "bar","X-Forwarded-For": "not-some-host"}, "forward_http_headers":["Authorization"]}`),
+				config:    []byte(`{"preserve_host": true, "additional_headers": {"X-Foo": "bar","X-Forwarded-For": "not-some-host"}}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
diff --git a/pipeline/authn/authenticator_cookie_session.go b/pipeline/authn/authenticator_cookie_session.go
index 4c2b2f57d6..efa86def03 100644
--- a/pipeline/authn/authenticator_cookie_session.go
+++ b/pipeline/authn/authenticator_cookie_session.go
@@ -89,9 +89,9 @@ func (a *AuthenticatorCookieSession) Config(config json.RawMessage) (*Authentica
 	if len(c.SubjectFrom) == 0 {
 		c.SubjectFrom = "subject"
 	}
-	if len(c.ForwardHTTPHeaders) == 0 {
-		c.ForwardHTTPHeaders = []string{header.Authorization, header.Cookie}
-	}
+
+	// Add Authorization and Cookie headers for backward compatibility
+	c.ForwardHTTPHeaders = append(c.ForwardHTTPHeaders, []string{header.Authorization, header.Cookie}...)
 
 	c.ForwardHTTPHeadersMap = make(map[string]string)
 	for _, h := range c.ForwardHTTPHeaders {