diff --git a/lib/anubis_test.go b/lib/anubis_test.go
index cc20352..5599139 100644
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -926,3 +926,42 @@ func TestPassChallengeXSS(t *testing.T) {
 		}
 	})
 }
+
+func TestXForwardedForNoDoubleComma(t *testing.T) {
+	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
+		fmt.Fprintln(w, "OK")
+	})
+
+	h = internal.XForwardedForToXRealIP(h)
+	h = internal.XForwardedForUpdate(false, h)
+
+	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
+
+	srv := spawnAnubis(t, Options{
+		Next:   h,
+		Policy: pol,
+	})
+	ts := httptest.NewServer(srv)
+	t.Cleanup(ts.Close)
+
+	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Set("X-Real-Ip", "10.0.0.1")
+
+	resp, err := ts.Client().Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
+	}
+
+	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
+		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
+	}
+}
diff --git a/lib/testdata/permissive.yaml b/lib/testdata/permissive.yaml
new file mode 100644
index 0000000..8e750d8
--- /dev/null
+++ b/lib/testdata/permissive.yaml
@@ -0,0 +1,4 @@
+bots:
+  - import: (data)/common/allow-private-addresses.yaml
+
+dnsbl: false