diff --git a/pkg/requests/util/util.go b/pkg/requests/util/util.go
index 290f8059..2dd7e97a 100644
--- a/pkg/requests/util/util.go
+++ b/pkg/requests/util/util.go
@@ -30,6 +30,12 @@ func GetRequestHost(req *http.Request) string {
 	host := req.Header.Get(XForwardedHost)
 	if !IsProxied(req) || host == "" {
 		host = req.Host
+	} else {
+		// Handle multiple hosts in X-Forwarded-Host (comma-separated)
+		// Take only the first host as per RFC 7239
+		if hosts := strings.Split(host, ","); len(hosts) > 0 {
+			host = strings.TrimSpace(hosts[0])
+		}
 	}
 	return host
 }
diff --git a/pkg/requests/util/util_test.go b/pkg/requests/util/util_test.go
index ba72c66d..6ae30f47 100644
--- a/pkg/requests/util/util_test.go
+++ b/pkg/requests/util/util_test.go
@@ -59,6 +59,16 @@ var _ = Describe("Util Suite", func() {
 				req.Header.Add("X-Forwarded-Host", "external.oauth2proxy.text")
 				Expect(util.GetRequestHost(req)).To(Equal("external.oauth2proxy.text"))
 			})
+
+			It("returns the first X-Forwarded-Host when multiple hosts are present", func() {
+				req.Header.Add("X-Forwarded-Host", "first.host,second.host,third.host")
+				Expect(util.GetRequestHost(req)).To(Equal("first.host"))
+			})
+
+			It("returns the first X-Forwarded-Host when multiple hosts are present with extra spaces", func() {
+				req.Header.Add("X-Forwarded-Host", "  first.host  ,  second.host  ,  third.host  ")
+				Expect(util.GetRequestHost(req)).To(Equal("first.host"))
+			})
 		})
 	})