diff -ruNp modsecurity-2.9.0.orig/nginx/modsecurity/ngx_http_modsecurity.c modsecurity-2.9.0/nginx/modsecurity/ngx_http_modsecurity.c
--- modsecurity-2.9.0.orig/nginx/modsecurity/ngx_http_modsecurity.c	2015-02-12 20:08:31.000000000 +0100
+++ modsecurity-2.9.0/nginx/modsecurity/ngx_http_modsecurity.c	2015-07-31 23:34:31.601688075 +0200
@@ -28,6 +28,7 @@
 
 typedef struct {
     ngx_flag_t                  enable;
+    ngx_flag_t                  x_headers;
     directory_config            *config;
 
     ngx_str_t                   *file;
@@ -83,6 +84,12 @@ static ngx_command_t  ngx_http_modsecuri
     NGX_HTTP_LOC_CONF_OFFSET,
     offsetof(ngx_http_modsecurity_loc_conf_t, enable),
     NULL },
+  { ngx_string("ModSecurityXHeaders"),
+    NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
+    ngx_conf_set_flag_slot,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    offsetof(ngx_http_modsecurity_loc_conf_t, x_headers),
+    NULL },
   ngx_null_command
 };
 
@@ -432,7 +439,11 @@ ngx_http_modsecurity_save_headers_in_vis
     }
 
     ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
+    h->lowcase_key[h->key.len] = '\0';
 
+    if (!ngx_strcmp(h->lowcase_key, "host"))
+        return 1;
+ 
     h->hash = ngx_hash_key(h->lowcase_key, h->key.len);
 
     cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
@@ -737,8 +748,10 @@ ngx_http_modsecurity_save_headers_out_vi
     ngx_table_elt_t                *h, he;
     ngx_http_upstream_header_t     *hh;
     ngx_http_upstream_main_conf_t  *umcf;
+    ngx_table_elt_t                *tmp_header;
 
     umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module);
+    ngx_http_modsecurity_loc_conf_t *conf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity);
 
     h = &he;
 
@@ -755,6 +768,19 @@ ngx_http_modsecurity_save_headers_out_vi
 
     ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
 
+    if (conf->x_headers) {
+        h->lowcase_key[h->key.len] = '\0';
+        if (h->lowcase_key[0] == 'x' &&
+            h->lowcase_key[1] == '-') {
+
+            tmp_header = ngx_list_push(&r->headers_out.headers);
+            tmp_header->key = h->key;
+            tmp_header->value = h->value;
+            tmp_header->hash = 1;
+            return 1;
+        }
+    }
+
     h->hash = ngx_hash_key(h->lowcase_key, h->key.len);
 
     hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
@@ -810,6 +836,7 @@ ngx_http_modsecurity_create_loc_conf(ngx
 
     conf->config = NGX_CONF_UNSET_PTR;
     conf->enable = NGX_CONF_UNSET;
+    conf->x_headers = NGX_CONF_UNSET;
 
     return conf;
 }
@@ -823,6 +850,7 @@ ngx_http_modsecurity_merge_loc_conf(ngx_
     ngx_http_modsecurity_loc_conf_t  *conf = child;
 
     ngx_conf_merge_value(conf->enable, prev->enable, 0);
+    ngx_conf_merge_value(conf->x_headers, prev->x_headers, 0);
     ngx_conf_merge_ptr_value(conf->config, prev->config, NULL);
 
     if (conf->enable && conf->config == NULL) {