diff --git a/pkg/validation/common.go b/pkg/validation/common.go
new file mode 100644
index 00000000..cd70b594
--- /dev/null
+++ b/pkg/validation/common.go
@@ -0,0 +1,43 @@
+package validation
+
+import (
+	"encoding/base64"
+	"fmt"
+	"os"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+)
+
+func validateSecretSource(source options.SecretSource) string {
+	switch {
+	case len(source.Value) > 0 && source.FromEnv == "" && source.FromFile == "":
+		return validateSecretSourceValue(source.Value)
+	case len(source.Value) == 0 && source.FromEnv != "" && source.FromFile == "":
+		return validateSecretSourceEnv(source.FromEnv)
+	case len(source.Value) == 0 && source.FromEnv == "" && source.FromFile != "":
+		return validateSecretSourceFile(source.FromFile)
+	default:
+		return "multiple values specified for secret source: specify either value, fromEnv of fromFile"
+	}
+}
+
+func validateSecretSourceValue(value []byte) string {
+	if _, err := base64.StdEncoding.Decode([]byte{}, value); err != nil {
+		return fmt.Sprintf("error decoding secret value: %v", err)
+	}
+	return ""
+}
+
+func validateSecretSourceEnv(key string) string {
+	if value := os.Getenv(key); value == "" {
+		return fmt.Sprintf("error loading secret from environent: no value for for key %q", key)
+	}
+	return ""
+}
+
+func validateSecretSourceFile(path string) string {
+	if _, err := os.Stat(path); err != nil {
+		return fmt.Sprintf("error loadig secret from file: %v", err)
+	}
+	return ""
+}
diff --git a/pkg/validation/header.go b/pkg/validation/header.go
new file mode 100644
index 00000000..6d2cad34
--- /dev/null
+++ b/pkg/validation/header.go
@@ -0,0 +1,52 @@
+package validation
+
+import (
+	"fmt"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+)
+
+func validateHeaders(headers []options.Header) []string {
+	msgs := []string{}
+	names := make(map[string]struct{})
+
+	for _, header := range headers {
+		msgs = append(msgs, validateHeader(header, names)...)
+	}
+	return msgs
+}
+
+func validateHeader(header options.Header, names map[string]struct{}) []string {
+	msgs := []string{}
+
+	if header.Name == "" {
+		msgs = append(msgs, "header has empty name: names are required for all headers")
+	}
+
+	if _, ok := names[header.Name]; ok {
+		msgs = append(msgs, fmt.Sprintf("multiple headers found with name %q: header names must be unique", header.Name))
+	}
+
+	for _, value := range header.Values {
+		msgs = append(msgs, validateHeaderValue(header.Name, value)...)
+	}
+	return msgs
+}
+
+func validateHeaderValue(name string, value options.HeaderValue) []string {
+	switch {
+	case value.SecretSource != nil && value.ClaimSource == nil:
+		return prefixValues("invalid header value: ", validateSecretSource(*value.SecretSource))
+	case value.SecretSource == nil && value.ClaimSource != nil:
+		return validateHeaderValueClaimSource(*value.ClaimSource)
+	default:
+		return []string{fmt.Sprintf("header %q value has multiple entries: only one entry per value is allowed", name)}
+	}
+}
+
+func validateHeaderValueClaimSource(claim options.ClaimSource) []string {
+	if claim.BasicAuthPassword != nil {
+		return prefixValues("invalid basicAuthPassword: ", validateSecretSource(*claim.BasicAuthPassword))
+	}
+	return []string{}
+}
diff --git a/pkg/validation/utils.go b/pkg/validation/utils.go
new file mode 100644
index 00000000..775befa0
--- /dev/null
+++ b/pkg/validation/utils.go
@@ -0,0 +1,9 @@
+package validation
+
+func prefixValues(prefix string, values ...string) []string {
+	msgs := make([]string, len(values))
+	for i, value := range values {
+		msgs[i] = prefix + value
+	}
+	return msgs
+}