diff --git a/zddc/README.md b/zddc/README.md
index 8ea172f..31f4d3e 100644
--- a/zddc/README.md
+++ b/zddc/README.md
@@ -190,6 +190,10 @@ push code/images but cannot `kubectl exec` into the running container. It surfac
   `kubectl exec -- env | grep ^ZDDC_` for diagnosing chart / deployment overrides.
 - **`/.admin/logs`** — recent log entries (last 500) from an in-memory ring buffer.
   Optional `?level=info|warn|error|debug` and `?since=<RFC3339>` query params.
+  At `ZDDC_LOG_LEVEL=debug` every request also logs its full header map under
+  `msg=request headers` — useful for diagnosing proxy / SSO header passthrough
+  (e.g. confirming which header carries the email). Note: that dump includes
+  auth tokens and cookies; only enable debug in trusted environments.
 - **`/.admin/`** — HTML dashboard that fetches the three JSON endpoints client-side.
 
 ### Authorization
diff --git a/zddc/internal/handler/middleware.go b/zddc/internal/handler/middleware.go
index 88a2e91..d354301 100644
--- a/zddc/internal/handler/middleware.go
+++ b/zddc/internal/handler/middleware.go
@@ -20,6 +20,18 @@ const EmailKey contextKey = "email"
 func ACLMiddleware(cfg config.Config, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		email := r.Header.Get(cfg.EmailHeader)
+		// DEBUG-level header dump for diagnosing proxy / SSO header
+		// passthrough. Off by default (LogLevel info); enable with
+		// ZDDC_LOG_LEVEL=debug. Logs the configured header name, the
+		// observed value at that name, and the full request header
+		// map so an operator can see exactly what reached the binary.
+		// Note: at debug level this also captures auth tokens, cookies,
+		// and anything else upstream proxies forward — only enable in
+		// trusted environments.
+		slog.Debug("request headers",
+			"configured", cfg.EmailHeader,
+			"observed", email,
+			"headers", r.Header)
 		ctx := context.WithValue(r.Context(), EmailKey, email)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})