diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00412234..f17a9768 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 ## Changes since v7.14.0
 
 - [#3309](https://github.com/oauth2-proxy/oauth2-proxy/pull/3309) fix: Return 302 redirect from AuthOnly endpoint when skip-provider-button is true (@StefanMarkmann)
+- [#3302](https://github.com/oauth2-proxy/oauth2-proxy/pull/3302) fix: static upstreams failing validation due to `passHostHeader` and `proxyWebSockets` defaults being set incorrectly (@sourava01)
 
 # V7.14.0
 
diff --git a/pkg/apis/options/upstreams.go b/pkg/apis/options/upstreams.go
index a56fca61..aaed0937 100644
--- a/pkg/apis/options/upstreams.go
+++ b/pkg/apis/options/upstreams.go
@@ -146,16 +146,21 @@ func (u *Upstream) EnsureDefaults() {
 	if u.FlushInterval == nil {
 		u.FlushInterval = ptr.To(DefaultUpstreamFlushInterval)
 	}
-	if u.PassHostHeader == nil {
-		u.PassHostHeader = ptr.To(DefaultUpstreamPassHostHeader)
-	}
-	if u.ProxyWebSockets == nil {
-		u.ProxyWebSockets = ptr.To(DefaultUpstreamProxyWebSockets)
-	}
 	if u.Timeout == nil {
 		u.Timeout = ptr.To(DefaultUpstreamTimeout)
 	}
 	if u.DisableKeepAlives == nil {
 		u.DisableKeepAlives = ptr.To(DefaultUpstreamDisableKeepAlives)
 	}
+
+	// PassHostHeader and ProxyWebSockets must remain nil for static upstreams
+	// as they don't apply and validation will flag them if set
+	if !ptr.Deref(u.Static, DefaultUpstreamStatic) {
+		if u.PassHostHeader == nil {
+			u.PassHostHeader = ptr.To(DefaultUpstreamPassHostHeader)
+		}
+		if u.ProxyWebSockets == nil {
+			u.ProxyWebSockets = ptr.To(DefaultUpstreamProxyWebSockets)
+		}
+	}
 }