From fadf281734a9925eb9c36c534a6d3da523aceb2d Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sun, 30 Apr 2023 09:01:26 +0200
Subject: [PATCH] don't trust headers from external

---
 DOCUMENTATION.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 5f14fa87..8d59d958 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -355,6 +355,7 @@ RewriteRule ^/radicale$ /radicale/ [R,L]
     ProxyPassReverse http://localhost:5232/
     RequestHeader    set X-Script-Name /radicale
     RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+    RequestHeader    unset X-Forwarded-Proto
     <If "%{HTTPS} =~ /on/">
     RequestHeader    set X-Forwarded-Proto "https"
     </If>
@@ -371,6 +372,7 @@ RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
 # Set to directory of .htaccess file:
 RequestHeader set X-Script-Name /radicale
 RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
+RequestHeader unset X-Forwarded-Proto
 <If "%{HTTPS} =~ /on/">
 RequestHeader set X-Forwarded-Proto "https"
 </If>