From 081b8a7fcce27e236dfb4bf3aab59c60dab74921 Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Fri, 14 Mar 2025 21:39:20 +0100
Subject: [PATCH] extension related to
 https://github.com/Kozea/Radicale/issues/1529

---
 DOCUMENTATION.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 8b6cbcbf..7bde4cbb 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -506,7 +506,9 @@ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
 ```
 
 > **Security:** Untrusted clients should not be able to access the Radicale
-> server directly. Otherwise, they can authenticate as any user.
+> server directly. Otherwise, they can authenticate as any user by simply
+> setting related HTTP header. This can be prevented by restrict listen to
+> loopback interface only or at least a local firewall rule.
 
 #### Secure connection between Radicale and the reverse proxy