diff --git a/src/cf.data.pre b/src/cf.data.pre
index 51c90a376e8..4c2b62f8e3c 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2984,9 +2984,6 @@ DOC_START
 		   to the client original destination instead of DIRECT.
 		   This overrides 'client_dst_passthru off'.
 
-		For now suspicious intercepted CONNECT requests are always
-		responded to with an HTTP 409 (Conflict) error page.
-
 
 	SECURITY NOTE:
 
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 507f53d32ba..3b1b063ddaa 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -389,8 +389,7 @@ void
 ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
 {
     // IP address validation for Host: failed. Admin wants to ignore them.
-    // NP: we do not yet handle CONNECT tunnels well, so ignore for them
-    if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
+    if (!Config.onoff.hostStrictVerify) {
         debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
                " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());