diff --git a/Network/HTTP/ReverseProxy.hs b/Network/HTTP/ReverseProxy.hs
index 218d937..b7718c2 100644
--- a/Network/HTTP/ReverseProxy.hs
+++ b/Network/HTTP/ReverseProxy.hs
@@ -6,6 +6,7 @@
 {-# LANGUAGE LambdaCase            #-}
 {-# LANGUAGE TupleSections         #-}
 {-# LANGUAGE CPP                   #-}
+
 module Network.HTTP.ReverseProxy
     ( -- * Types
       ProxyDest (..)
@@ -78,6 +79,23 @@ data ProxyDest = ProxyDest
     , pdPort :: !Int
     } deriving (Read, Show, Eq, Ord, Generic)
 
+-- | Trim optional whitespace (OWS) from both ends of a strict 'ByteString'.
+
+-- Per RFC 7230 §3.2.3, OWS = SP / HTAB. This function removes only leading
+-- and trailing space (0x20) and horizontal tab (0x09) bytes. It does not
+-- modify internal whitespace.
+
+-- On newer @bytestring@ versions (those that provide
+-- 'Data.ByteString.Char8.strip') this is a thin wrapper around that
+-- function; on older versions we provide a compatible fallback.
+trimOWS :: S8.ByteString -> S8.ByteString
+#if MIN_VERSION_bytestring(0,12,0)
+trimOWS = S8.strip
+#else
+trimOWS = S8.reverse . S8.dropWhile isOWS . S8.reverse . S8.dropWhile isOWS
+  where isOWS c = c == ' ' || c == '\t'
+#endif
+
 -- | Set up a reverse proxy server, which will have a minimal overhead.
 --
 -- This function uses raw sockets, parsing as little of the request as
@@ -361,7 +379,7 @@ fixReqHeaders wps req =
     fromSocket = (("X-Real-IP", S8.pack $ showSockAddr $ WAI.remoteHost req):)
     fromForwardedFor = do
       h <- lookup "x-forwarded-for" (WAI.requestHeaders req)
-      listToMaybe $ map S8.strip $ S8.split ',' h
+      listToMaybe $ map trimOWS $ S8.split ',' h
     addXRealIP =
         case wpsSetIpHeader wps of
             SIHFromSocket -> fromSocket
diff --git a/http-reverse-proxy.cabal b/http-reverse-proxy.cabal
index b3a81df..43c025e 100644
--- a/http-reverse-proxy.cabal
+++ b/http-reverse-proxy.cabal
@@ -28,23 +28,23 @@ library
 
   build-depends:
       base               >=4.11 && <5
-    , blaze-builder      >=0.3
-    , bytestring         >=0.9
-    , case-insensitive   >=0.4
-    , conduit            >=1.3
-    , conduit-extra
-    , containers
-    , http-client        >=0.3
-    , http-types         >=0.6
-    , network
-    , resourcet
-    , streaming-commons
-    , text               >=0.11
-    , transformers
-    , unliftio           >=0.2
-    , wai                >=3.0
-    , wai-logger
-    , word8              >=0.0
+    , blaze-builder      >=0.3  && <0.5
+    , bytestring         >=0.9  && <0.13
+    , case-insensitive   >=0.4  && <1.3
+    , conduit            >=1.3  && <1.4
+    , conduit-extra      <1.4
+    , containers         <0.9
+    , http-client        >=0.3  && <0.8
+    , http-types         >=0.6  && <0.13
+    , network            <3.3
+    , resourcet          <1.4
+    , streaming-commons  <0.3
+    , text               >=0.11 && <2.2
+    , transformers       <0.7
+    , unliftio           >=0.2  && <0.3
+    , wai                >=3.0  && <3.3
+    , wai-logger         >=2.0  && <2.6
+    , word8              >=0.0  && <0.2
 
 test-suite test
   default-language: Haskell2010
@@ -71,4 +71,4 @@ test-suite test
 
 source-repository head
   type:     git
-  location: git://github.com/fpco/http-reverse-proxy.git
+  location: https://github.com/fpco/http-reverse-proxy.git