diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index c0163a143fe..b2e1283e907 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -479,6 +479,17 @@ module Express {
           methodName = "header"
         )
         or
+        exists (DataFlow::PropRead headers |
+          // `req.headers.name`
+          kind = "header" and
+          headers.accesses(request, "headers") and
+          this = headers.getAPropertyRead(_))
+        or
+        exists (string propName | propName = "host" or propName = "hostname" |
+          // `req.host` and `req.hostname` are derived from headers
+          kind = "header" and
+          this.(DataFlow::PropRead).accesses(request, propName))
+        or
         // `req.cookies`
         kind = "cookie" and
         this.(DataFlow::PropRef).accesses(request, "cookies")
diff --git a/javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected b/javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected
index ebfd4b31eeb..8f759c8a1d5 100644
--- a/javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected
+++ b/javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected
@@ -12,3 +12,6 @@
 | src/express.js:28:3:28:16 | req.get("foo") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:29:3:29:19 | req.header("bar") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:30:3:30:13 | req.cookies | cookie | src/express.js:22:30:32:1 | functio ... ar');\\n} |
+| src/express.js:47:3:47:17 | req.headers.baz | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
+| src/express.js:48:3:48:10 | req.host | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
+| src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
diff --git a/javascript/ql/test/library-tests/frameworks/Express/src/express.js b/javascript/ql/test/library-tests/frameworks/Express/src/express.js
index ddbda24cd29..c3a96a3d645 100644
--- a/javascript/ql/test/library-tests/frameworks/Express/src/express.js
+++ b/javascript/ql/test/library-tests/frameworks/Express/src/express.js
@@ -42,3 +42,9 @@ function getArrowHandler() {
     return (req, res) => f();
 }
 app.use(getArrowHandler());
+
+app.post('/headers', function(req, res) {
+  req.headers.baz;
+  req.host;
+  req.hostname;
+});