diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index 69dfb8d85..739976799 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -170,11 +170,18 @@ func redactOutput(cfg *Config) Output {
 	}
 
 	for k := range redacted.Elasticsearch.Headers {
-		if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "token") || strings.Contains(strings.ToLower(k), "key") { // best-effort scan to redact sensitive headers
+		lk := strings.ToLower(k)
+		if strings.Contains(lk, "auth") || strings.Contains(lk, "token") || strings.Contains(lk, "key") || strings.Contains(lk, "bearer") { // best-effort scan to redact sensitive headers
 			redacted.Elasticsearch.Headers[k] = kRedacted
 		}
 	}
 
+	for k := range redacted.Elasticsearch.ProxyHeaders {
+		lk := strings.ToLower(k)
+		if strings.Contains(lk, "auth") || strings.Contains(lk, "token") || strings.Contains(lk, "key") || strings.Contains(lk, "bearer") { // best-effort scan to redact sensitive headers
+			redacted.Elasticsearch.ProxyHeaders[k] = kRedacted
+		}
+	}
 	return redacted
 }
 
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index 16175a97b..9fc46a449 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -427,14 +427,14 @@ func TestConfigRedact(t *testing.T) {
 			},
 		},
 		{
-			name: "Redact custom authorization output header",
+			name: "Redact custom output headers",
 			inputCfg: &Config{
 				Inputs: []Input{{}},
 				Output: Output{
 					Elasticsearch: Elasticsearch{
 						Protocol:         "https",
 						Hosts:            []string{"localhost:9200"},
-						Headers:          map[string]string{"X-Authorization": "secretValue", "X-Custom": "value"},
+						Headers:          map[string]string{"X-Authorization": "secretValue", "X-Custom": "value", "X-App-Token": "customToken", "X-App-Key": "secretKey", "X-Custom-Bearer": "secretBearer"},
 						ServiceTokenPath: "path/to/file",
 					},
 				},
@@ -445,7 +445,32 @@ func TestConfigRedact(t *testing.T) {
 					Elasticsearch: Elasticsearch{
 						Protocol:         "https",
 						Hosts:            []string{"localhost:9200"},
-						Headers:          map[string]string{"X-Authorization": kRedacted, "X-Custom": "value"},
+						Headers:          map[string]string{"X-Authorization": kRedacted, "X-Custom": "value", "X-App-Token": kRedacted, "X-App-Key": kRedacted, "X-Custom-Bearer": kRedacted},
+						ServiceTokenPath: "path/to/file",
+					},
+				},
+			},
+		},
+		{
+			name: "Redact proxy authorization output header",
+			inputCfg: &Config{
+				Inputs: []Input{{}},
+				Output: Output{
+					Elasticsearch: Elasticsearch{
+						Protocol:         "https",
+						Hosts:            []string{"localhost:9200"},
+						ProxyHeaders:     map[string]string{"X-Proxy-Authorization": "secretValue"},
+						ServiceTokenPath: "path/to/file",
+					},
+				},
+			},
+			redactedCfg: &Config{
+				Inputs: []Input{{}},
+				Output: Output{
+					Elasticsearch: Elasticsearch{
+						Protocol:         "https",
+						Hosts:            []string{"localhost:9200"},
+						ProxyHeaders:     map[string]string{"X-Proxy-Authorization": kRedacted},
 						ServiceTokenPath: "path/to/file",
 					},
 				},