diff --git a/plugins/wasm-go/extensions/ext-auth/README.md b/plugins/wasm-go/extensions/ext-auth/README.md
index 288581ad2..24dd39e57 100644
--- a/plugins/wasm-go/extensions/ext-auth/README.md
+++ b/plugins/wasm-go/extensions/ext-auth/README.md
@@ -271,3 +271,14 @@ Content-Length: 0
 ```
 
 `ext-auth` 服务返回响应头中如果包含 `x-user-id` 和 `x-auth-version`，网关调用upstream时的请求中会带上这两个请求头
+
+#### x-forwarded-* header
+在endpoint_mode为forward_auth时，higress会自动生成并发送以下header至鉴权服务。
+
+| Header             | 说明                                  |
+|--------------------|-------------------------------------|
+| x-forwarded-proto  | 原始请求的scheme，比如http/https            |
+| x-forwarded-method | 原始请求的方法，比如get/post/delete/patch     |
+| x-forwarded-host   | 原始请求的host                           |
+| x-forwarded-uri    | 原始请求的path，包含路径参数，比如/v1/app?test=true |
+| x-forwarded-for    | 原始请求的客户端IP地址                        |
\ No newline at end of file
diff --git a/plugins/wasm-go/extensions/ext-auth/main.go b/plugins/wasm-go/extensions/ext-auth/main.go
index 523a603ac..3dc0556a0 100644
--- a/plugins/wasm-go/extensions/ext-auth/main.go
+++ b/plugins/wasm-go/extensions/ext-auth/main.go
@@ -37,6 +37,12 @@ const (
 	HeaderFailureModeAllow string = "x-envoy-auth-failure-mode-allowed"
 	HeaderOriginalMethod   string = "x-original-method"
 	HeaderOriginalUri      string = "x-original-uri"
+
+	// Currently, x-forwarded-xxx headers only apply for forward_auth.
+	HeaderXForwardedProto  = "x-forwarded-proto"
+	HeaderXForwardedMethod = "x-forwarded-method"
+	HeaderXForwardedUri    = "x-Forwarded-uri"
+	HeaderXForwardedHost   = "x-Forwarded-host"
 )
 
 func onHttpRequestHeaders(ctx wrapper.HttpContext, config ExtAuthConfig, log wrapper.Log) types.Action {
@@ -95,6 +101,10 @@ func checkExtAuth(ctx wrapper.HttpContext, config ExtAuthConfig, body []byte, lo
 	if httpServiceConfig.endpointMode == EndpointModeForwardAuth {
 		extAuthReqHeaders.Set(HeaderOriginalMethod, ctx.Method())
 		extAuthReqHeaders.Set(HeaderOriginalUri, ctx.Path())
+		extAuthReqHeaders.Set(HeaderXForwardedProto, ctx.Scheme())
+		extAuthReqHeaders.Set(HeaderXForwardedMethod, ctx.Method())
+		extAuthReqHeaders.Set(HeaderXForwardedUri, ctx.Path())
+		extAuthReqHeaders.Set(HeaderXForwardedHost, ctx.Host())
 	}
 
 	requestMethod := httpServiceConfig.requestMethod