diff --git a/proxyfilters/forwardedfor.go b/proxyfilters/forwardedfor.go
index 64ce708c..64f7e8ee 100644
--- a/proxyfilters/forwardedfor.go
+++ b/proxyfilters/forwardedfor.go
@@ -3,7 +3,6 @@ package proxyfilters
 import (
 	"net"
 	"net/http"
-	"strings"
 
 	"github.com/getlantern/proxy/v3/filters"
 )
@@ -17,10 +16,12 @@ const (
 var AddForwardedFor = filters.FilterFunc(func(cs *filters.ConnectionState, req *http.Request, next filters.Next) (*http.Response, *filters.ConnectionState, error) {
 	if req.Method != http.MethodConnect {
 		if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-			if prior, ok := req.Header[xForwardedFor]; ok {
-				clientIP = strings.Join(prior, ", ") + ", " + clientIP
-			}
+			// Proxies are supposed to actually overwrite previous values, as they
+			// can be maliciously set by the client.
 			req.Header.Set(xForwardedFor, clientIP)
+		} else {
+			// If we can't parse the client IP, we should remove the header.
+			req.Header.Del(xForwardedFor)
 		}
 	}
 	return next(cs, req)