diff --git a/internal/ingress/annotations/customheaders/main.go b/internal/ingress/annotations/customheaders/main.go
index 12428a1be..d64c07426 100644
--- a/internal/ingress/annotations/customheaders/main.go
+++ b/internal/ingress/annotations/customheaders/main.go
@@ -37,6 +37,7 @@ type Config struct {
 
 var (
 	headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`)
+	valueRegexp  = regexp.MustCompile(`^[a-zA-Z\d\_ :;.,\/"'?!(){}[]@<>=-\+\*#$&<|~^%]+$`)
 )
 
 // ValidHeader checks is the provided string satisfies the header's name regex
@@ -44,6 +45,11 @@ func ValidHeader(header string) bool {
 	return headerRegexp.MatchString(header)
 }
 
+// ValidValue checks is the provided string satisfies the value regex
+func ValidValue(header string) bool {
+	return valueRegexp.MatchString(header)
+}
+
 type customHeaders struct {
 	r resolver.Resolver
 }
@@ -70,10 +76,13 @@ func (a customHeaders) Parse(ing *networking.Ingress) (interface{}, error) {
 			return nil, ing_errors.NewLocationDenied(fmt.Sprintf("unable to find configMap %q", clientHeadersConfigMapName))
 		}
 
-		for header := range clientHeadersMapContents.Data {
+		for header, value := range clientHeadersMapContents.Data {
 			if !ValidHeader(header) {
 				return nil, ing_errors.NewLocationDenied("invalid client-headers in configmap")
 			}
+			if !ValidValue(value) {
+				return nil, ing_errors.NewLocationDenied("invalid client-headers in configmap")
+			}
 			if !slices.Contains(defBackend.AllowedResponseHeaders, header) {
 				return nil, ing_errors.NewLocationDenied(fmt.Sprintf("header %s is not allowed, defined allowed headers inside global-allowed-response-headers %v", header, defBackend.AllowedResponseHeaders))
 			}