diff --git a/config/settings/base.py b/config/settings/base.py
index affca13cf2007dfd20e500bd04dc1039832ff6a8..5d2d61a98b86cf080e0e18409c1944045dac0556 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -271,8 +271,8 @@ SHIB_ATTRIBUTE_MAP = {
 # Headers to use for X509 authentication
 X509_SUBJECT_DN_HEADER = 'HTTP_SSL_CLIENT_S_DN'
 X509_ISSUER_DN_HEADER = 'HTTP_SSL_CLIENT_I_DN'
-X509_CERT_HEADER = 'X_FORWARDED_TLS_CLIENT_CERT'
-X509_INFOS_HEADER = 'X_FORWARDED_TLS_CLIENT_CERT_INFOS'
+X509_CERT_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT'
+X509_INFOS_HEADER = 'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS'
 
 # List of authentication backends to use when attempting to authenticate
 # a user.  Will be used in this order.  Authentication for the API is
diff --git a/gracedb/api/backends.py b/gracedb/api/backends.py
index ba273c6ff4b4f339c860f902844c6bd540fbcc4a..2d4dd5ff27b12d7b372f12238ae2dcbe50160724 100644
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -168,7 +168,7 @@ class GraceDbX509CertInfosAuthentication(GraceDbX509Authentication):
     """
     api_only = True
     infos_header = getattr(settings, 'X509_INFOS_HEADER',
-        'X_FORWARDED_TLS_CLIENT_CERT_INFOS')
+        'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS')
     infos_pattern = re.compile(r'Subject="(.*?)".*Issuer="(.*?)"')
 
     @classmethod
@@ -210,7 +210,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
     api_only = True
     www_authenticate_realm = 'api'
     cert_header = getattr(settings, 'X509_CERT_HEADER',
-        'X_FORWARDED_TLS_CLIENT_CERT')
+        'HTTP_X_FORWARDED_TLS_CLIENT_CERT')
 
     def authenticate(self, request):