diff --git a/CHANGES b/CHANGES
index f05c22f57..83e960bf2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1899,3 +1899,7 @@
 * graphs: sort disk contents by usage
 * backups: show apps that are not automatically backed up in backup view
 * turn: deny local address peers https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
+
+[5.2.0]
+* Fix crash with misconfigured reverse proxy
+
diff --git a/src/routes/apps.js b/src/routes/apps.js
index 74df60d58..313e2eb70 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -645,11 +645,12 @@ function exec(req, res, next) {
 
     if (safe.query(req.resource, 'manifest.addons.docker') && req.user.role !== users.ROLE_OWNER) return next(new HttpError(403, '"owner" role is requied to exec app with docker addon'));
 
+    // in a badly configured reverse proxy, we might be here without an upgrade
+    if (req.headers['upgrade'] !== 'tcp') return next(new HttpError(404, 'exec requires TCP upgrade'));
+
     apps.exec(req.resource, { cmd: cmd, rows: rows, columns: columns, tty: tty }, function (error, duplexStream) {
         if (error) return next(BoxError.toHttpError(error));
 
-        if (req.headers['upgrade'] !== 'tcp') return next(new HttpError(404, 'exec requires TCP upgrade'));
-
         req.clearTimeout();
         res.sendUpgradeHandshake();
 
@@ -683,6 +684,9 @@ function execWebSocket(req, res, next) {
 
     var tty = req.query.tty === 'true' ? true : false;
 
+    // in a badly configured reverse proxy, we might be here without an upgrade
+    if (req.headers['upgrade'] !== 'websocket') return next(new HttpError(404, 'exec requires websocket'));
+
     apps.exec(req.resource, { cmd: cmd, rows: rows, columns: columns, tty: tty }, function (error, duplexStream) {
         if (error) return next(BoxError.toHttpError(error));