diff --git a/src/core/server/http/http_config.test.ts b/src/core/server/http/http_config.test.ts
index f13d2e418cb09..3aef1e14cf48a 100644
--- a/src/core/server/http/http_config.test.ts
+++ b/src/core/server/http/http_config.test.ts
@@ -252,6 +252,34 @@ test('accepts any type of objects for custom headers', () => {
   expect(() => httpSchema.validate(obj)).not.toThrow();
 });
 
+test('forbids the "location" custom response header', () => {
+  const httpSchema = config.schema;
+  const obj = {
+    customResponseHeaders: {
+      location: 'string',
+      Location: 'string',
+      lOcAtIoN: 'string',
+    },
+  };
+  expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
+    `"[customResponseHeaders]: The following custom response headers are not allowed to be set: location, Location, lOcAtIoN"`
+  );
+});
+
+test('forbids the "refresh" custom response header', () => {
+  const httpSchema = config.schema;
+  const obj = {
+    customResponseHeaders: {
+      refresh: 'string',
+      Refresh: 'string',
+      rEfReSh: 'string',
+    },
+  };
+  expect(() => httpSchema.validate(obj)).toThrowErrorMatchingInlineSnapshot(
+    `"[customResponseHeaders]: The following custom response headers are not allowed to be set: refresh, Refresh, rEfReSh"`
+  );
+});
+
 describe('with TLS', () => {
   test('throws if TLS is enabled but `redirectHttpFromPort` is equal to `port`', () => {
     const httpSchema = config.schema;
diff --git a/src/core/server/http/http_config.ts b/src/core/server/http/http_config.ts
index 98ad33817148e..48d8752ad46ff 100644
--- a/src/core/server/http/http_config.ts
+++ b/src/core/server/http/http_config.ts
@@ -20,6 +20,9 @@ const hostURISchema = schema.uri({ scheme: ['http', 'https'] });
 const match = (regex: RegExp, errorMsg: string) => (str: string) =>
   regex.test(str) ? undefined : errorMsg;
 
+// The lower-case set of response headers which are forbidden within `customResponseHeaders`.
+const RESPONSE_HEADER_DENY_LIST = ['location', 'refresh'];
+
 // before update to make sure it's in sync with validation rules in Legacy
 // https://github.com/elastic/kibana/blob/master/src/legacy/server/config/schema.js
 export const config = {
@@ -58,6 +61,16 @@ export const config = {
       ),
       customResponseHeaders: schema.recordOf(schema.string(), schema.any(), {
         defaultValue: {},
+        validate(value) {
+          const forbiddenKeys = Object.keys(value).filter((headerName) =>
+            RESPONSE_HEADER_DENY_LIST.includes(headerName.toLowerCase())
+          );
+          if (forbiddenKeys.length > 0) {
+            return `The following custom response headers are not allowed to be set: ${forbiddenKeys.join(
+              ', '
+            )}`;
+          }
+        },
       }),
       host: schema.string({
         defaultValue: 'localhost',