diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go
index b7a304f622d..d641cb68dea 100644
--- a/modules/caddyhttp/matchers.go
+++ b/modules/caddyhttp/matchers.go
@@ -445,6 +445,10 @@ func matchHeaders(input, against http.Header, host string) bool {
 			// match if the header field exists at all
 			continue
 		}
+		if allowedFieldVals == nil && actualFieldVals == nil {
+			// a nil list means match if the header does not exist at all
+			continue
+		}
 		var match bool
 	fieldVals:
 		for _, actualFieldVal := range actualFieldVals {
diff --git a/modules/caddyhttp/matchers_test.go b/modules/caddyhttp/matchers_test.go
index 9a2836de5f4..51db67d885b 100644
--- a/modules/caddyhttp/matchers_test.go
+++ b/modules/caddyhttp/matchers_test.go
@@ -480,6 +480,16 @@ func TestHeaderMatcher(t *testing.T) {
 			host:   "caddyserver.com",
 			expect: false,
 		},
+		{
+			match:  MatchHeader{"Must-Not-Exist": nil},
+			input:  http.Header{},
+			expect: true,
+		},
+		{
+			match:  MatchHeader{"Must-Not-Exist": nil},
+			input:  http.Header{"Must-Not-Exist": []string{"do not match"}},
+			expect: false,
+		},
 	} {
 		req := &http.Request{Header: tc.input, Host: tc.host}
 		actual := tc.match.Match(req)