diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h

index c119a7e..267150a 100644

--- a/modules/proxy/ajp.h

+++ b/modules/proxy/ajp.h

@@ -413,12 +413,14 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg);

  * @param sock      backend socket

  * @param r         current request

  * @param buffsize  max size of the AJP packet.

+ * @param secret    authentication secret

  * @param uri       requested uri

  * @return          APR_SUCCESS or error

  */

 apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,

                              apr_size_t buffsize,

-                             apr_uri_t *uri);

+                             apr_uri_t *uri,

+                             const char *secret);

 /**

  * Read the ajp message and return the type of the message.

diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c

index 67353a7..680a8f3 100644

--- a/modules/proxy/ajp_header.c

+++ b/modules/proxy/ajp_header.c

@@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST=

 static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,

                                           request_rec *r,

-                                          apr_uri_t *uri)

+                                          apr_uri_t *uri,

+                                          const char *secret)

 {

     int method;

     apr_uint32_t i, num_headers = 0;

@@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,

                    i, elts[i].key, elts[i].val);

     }

-/* XXXX need to figure out how to do this

-    if (s->secret) {

+    if (secret) {

         if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||

-            ajp_msg_append_string(msg, s->secret)) {

+            ajp_msg_append_string(msg, secret)) {

             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228)

-                   "Error ajp_marshal_into_msgb - "

+                   "ajp_marshal_into_msgb: "

                    "Error appending secret");

             return APR_EGENERAL;

         }

     }

- */

     if (r->user) {

         if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||

@@ -671,7 +670,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg,

 apr_status_t ajp_send_header(apr_socket_t *sock,

                              request_rec *r,

                              apr_size_t buffsize,

-                             apr_uri_t *uri)

+                             apr_uri_t *uri,

+                             const char *secret)

 {

     ajp_msg_t *msg;

     apr_status_t rc;

@@ -683,7 +683,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock,

         return rc;

     }

-    rc = ajp_marshal_into_msgb(msg, r, uri);

+    rc = ajp_marshal_into_msgb(msg, r, uri, secret);

     if (rc != APR_SUCCESS) {

         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)

                "ajp_send_header: ajp_marshal_into_msgb failed");

diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c

index f6fb473..f693f63 100644

--- a/modules/proxy/mod_proxy.c

+++ b/modules/proxy/mod_proxy.c

@@ -314,6 +314,12 @@ static const char *set_worker_param(apr_pool_t *p,

                                 (int)sizeof(worker->s->upgrade));

         }

     }

+    else if (!strcasecmp(key, "secret")) {

+        if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {

+            return apr_psprintf(p, "Secret length must be < %d characters",

+                                (int)sizeof(worker->s->secret));

+        }

+    }

     else {

         if (set_worker_hc_param_f) {

             return set_worker_hc_param_f(p, s, worker, key, val, NULL);

diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h

index 8a0ad10..f92c185 100644

--- a/modules/proxy/mod_proxy.h

+++ b/modules/proxy/mod_proxy.h

@@ -352,6 +352,7 @@ PROXY_WORKER_HC_FAIL )

 #define PROXY_WORKER_MAX_HOSTNAME_SIZE  64

 #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE

 #define PROXY_BALANCER_MAX_STICKY_SIZE  64

+#define PROXY_WORKER_MAX_SECRET_SIZE    64

 /* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names,

  * dotted together(?) this would fit the below size (+ trailing NUL).

@@ -443,6 +444,7 @@ typedef struct {

     hcmethod_t      method;     /* method to use for health check */

     apr_interval_time_t interval;

     char      upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */

+    char      secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */

 } proxy_worker_shared;

 #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))

diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c

index 051724e..e706518 100644

--- a/modules/proxy/mod_proxy_ajp.c

+++ b/modules/proxy/mod_proxy_ajp.c

@@ -193,6 +193,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,

     apr_off_t content_length = 0;

     int original_status = r->status;

     const char *original_status_line = r->status_line;

+    const char *secret = NULL;

     if (psf->io_buffer_size_set)

        maxsize = psf->io_buffer_size;

@@ -202,12 +203,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,

        maxsize = AJP_MSG_BUFFER_SZ;

     maxsize = APR_ALIGN(maxsize, 1024);

+    if (*conn->worker->s->secret)

+        secret = conn->worker->s->secret;

+

     /*

      * Send the AJP request to the remote server

      */

     /* send request headers */

-    status = ajp_send_header(conn->sock, r, maxsize, uri);

+    status = ajp_send_header(conn->sock, r, maxsize, uri, secret);

     if (status != APR_SUCCESS) {

         conn->close = 1;

         ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)