diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua
index 10b313638..624aa0502 100644
--- a/gateway/src/apicast/http_proxy.lua
+++ b/gateway/src/apicast/http_proxy.lua
@@ -167,7 +167,10 @@ function _M.request(upstream, proxy_uri)
         -- Only set "Proxy-Authorization" when sending HTTP request. When sent over HTTPS,
         -- the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has
         -- no visibility into the tunneled request.
-        if not ngx.var.http_proxy_authorization and proxy_auth then
+        --
+        -- Also DO NOT set the header if using the camel proxy to avoid unintended leak of
+        -- Proxy-Authorization header in requests
+        if not ngx.var.http_proxy_authorization and proxy_auth and not upstream.skip_https_connect then
             ngx.req.set_header("Proxy-Authorization", proxy_auth)
         end
 
diff --git a/t/apicast-policy-camel.t b/t/apicast-policy-camel.t
index 8b4fce6aa..ddaac389c 100644
--- a/t/apicast-policy-camel.t
+++ b/t/apicast-policy-camel.t
@@ -318,6 +318,7 @@ EOF
 
 
 === TEST 5: API backend connection uses http proxy with Basic Auth
+Check that the Proxy Authorization header is not sent
 --- configuration
 {
   "services": [
@@ -358,7 +359,7 @@ EOF
     access_by_lua_block {
       assert = require('luassert')
       local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
-      assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
+      assert.falsy(proxy_auth)
       ngx.say("yay, api backend")
     }
   }
@@ -371,6 +372,7 @@ yay, api backend
 using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT
 
 === TEST 6: API backend using all_proxy with Basic Auth
+Check that the Proxy Authorization header is not sent
 --- configuration
 {
   "services": [
@@ -411,7 +413,7 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT
     access_by_lua_block {
       assert = require('luassert')
       local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
-      assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
+      assert.falsy(proxy_auth)
       ngx.say("yay, api backend")
     }
   }
@@ -425,6 +427,7 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT
 
 
 === TEST 7: using HTTPS proxy for backend with Basic Auth.
+Check that the Proxy Authorization header is not sent
 --- init eval
 $Test::Nginx::Util::PROXY_SSL_PORT = Test::APIcast::get_random_port();
 $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
@@ -473,10 +476,6 @@ EOF
 
   location /test {
     access_by_lua_block {
-      assert = require('luassert')
-      local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
-      assert.falsy(proxy_auth)
-
       ngx.say("yay, endpoint backend")
 
     }
@@ -505,3 +504,5 @@ GET /test?user_key=test3
 <<EOF
 using proxy: http://foo:bar\@127.0.0.1:$Test::Nginx::Util::PROXY_SSL_PORT,
 EOF
+--- no_error_log eval
+[qr/\[error\]/, qr/\got header line: Proxy-Authorization: Basic Zm9vOmJhcg==/]