From b6169a87c29af84e45422df252e972ddf8cdd37e Mon Sep 17 00:00:00 2001
From: Ingo Schommer <me@chillu.com>
Date: Wed, 29 Jul 2020 14:28:20 +1200
Subject: [PATCH 1/2] DOCS HTTP header in server requirements

---
 docs/en/00_Getting_Started/00_Server_Requirements.md   | 10 ++++++++++
 .../09_Security/04_Secure_Coding.md                    |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/en/00_Getting_Started/00_Server_Requirements.md b/docs/en/00_Getting_Started/00_Server_Requirements.md
index c4c5f374f..3574fcf03 100644
--- a/docs/en/00_Getting_Started/00_Server_Requirements.md
+++ b/docs/en/00_Getting_Started/00_Server_Requirements.md
@@ -112,6 +112,16 @@ For example, Apache allows this through `Header setifempty` (see [docs](https://
 See [Developer Guide: Performance](/developer_guides/performance/)
 and [Developer Guides: File Security](/developer_guides/files/file_security) for more details.
 
+Silverstripe relies on the `Host` header to construct URLs such as "reset password" links,
+so you'll need to ensure that the systems hosting it only allow valid values for this header.
+See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
+
+### CDNs and other Reverse Proxies
+
+If your Silverstripe site is hosted behind multiple HTTP layers,
+you're in charge of controlling which forwarded headers are considered valid,
+and which IPs can set them. See See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
+
 ### Symlinks
 
 SilverStripe is a modular system, with modules installed and updated
diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
index 003813491..f6a9dd010 100644
--- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
+++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md
@@ -648,7 +648,7 @@ This is a recommended option to secure any controller which displays
 or submits sensitive user input, and is enabled by default in all CMS controllers,
 as well as the login form.
 
-## Request hostname forgery
+## Request hostname forgery {#request-hostname-forgery}
 
 To prevent a forged hostname appearing being used by the application, SilverStripe
 allows the configure of a whitelist of hosts that are allowed to access the system. By defining

From 914c6fbe08927fb07c528751b211f1671bf0b498 Mon Sep 17 00:00:00 2001
From: Robbie Averill <robbie@averill.co.nz>
Date: Wed, 29 Jul 2020 10:44:20 -0700
Subject: [PATCH 2/2] Remove duplicate "see" word in docs

[ci skip]
---
 docs/en/00_Getting_Started/00_Server_Requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/en/00_Getting_Started/00_Server_Requirements.md b/docs/en/00_Getting_Started/00_Server_Requirements.md
index 3574fcf03..51a7424ab 100644
--- a/docs/en/00_Getting_Started/00_Server_Requirements.md
+++ b/docs/en/00_Getting_Started/00_Server_Requirements.md
@@ -120,7 +120,7 @@ See [Developer Guide: Security - Request hostname forgery](/developer_guides/sec
 
 If your Silverstripe site is hosted behind multiple HTTP layers,
 you're in charge of controlling which forwarded headers are considered valid,
-and which IPs can set them. See See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
+and which IPs can set them. See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
 
 ### Symlinks