diff --git a/src/lib/app.ts b/src/lib/app.ts
index 6c1308b8db..580e2b9d00 100644
--- a/src/lib/app.ts
+++ b/src/lib/app.ts
@@ -66,6 +66,11 @@ export default async function getApp(
     app.use(compression());
     app.use(cookieParser());
 
+    app.use((req, res, next) => {
+        req.url = req.url.replace(/\/+/g, '/');
+        next();
+    });
+
     app.use(
         `${baseUriPath}/api/admin/features-batch`,
         express.json({ strict: false, limit: '500kB' }),
diff --git a/src/test/e2e/api/auth/leading-slashes-are-stripped.e2e.test.ts b/src/test/e2e/api/auth/leading-slashes-are-stripped.e2e.test.ts
index 82646ea790..2faf8fcda2 100644
--- a/src/test/e2e/api/auth/leading-slashes-are-stripped.e2e.test.ts
+++ b/src/test/e2e/api/auth/leading-slashes-are-stripped.e2e.test.ts
@@ -29,6 +29,11 @@ afterAll(async () => {
     await db.destroy();
 });
 
+test('Access to//api/admin/tags are refused no matter how many leading slashes', async () => {
+    await app.request.get('//api/admin/tags').expect(401);
+    await app.request.get('////api/admin/tags').expect(401);
+});
+
 test('Access to /api/client/features are refused no matter how many leading slashes', async () => {
     await app.request.get('/api/client/features').expect(401);
     await app.request.get('/////api/client/features').expect(401);