DOCS HTTP header in server requirements

docs/en/00_Getting_Started/00_Server_Requirements.md

@@ -112,6 +112,16 @@ For example, Apache allows this through `Header setifempty` (see [docs](https://
 See [Developer Guide: Performance](/developer_guides/performance/)
 and [Developer Guides: File Security](/developer_guides/files/file_security) for more details.
 
+Silverstripe relies on the `Host` header to construct URLs such as "reset password" links,
+so you'll need to ensure that the systems hosting it only allow valid values for this header.
+See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
+
+### CDNs and other Reverse Proxies
+
+If your Silverstripe site is hosted behind multiple HTTP layers,
+you're in charge of controlling which forwarded headers are considered valid,
+and which IPs can set them. See See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
+
 ### Symlinks
 
 SilverStripe is a modular system, with modules installed and updated

docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md

@@ -648,7 +648,7 @@ This is a recommended option to secure any controller which displays
 or submits sensitive user input, and is enabled by default in all CMS controllers,
 as well as the login form.
 
-## Request hostname forgery
+## Request hostname forgery {#request-hostname-forgery}
 
 To prevent a forged hostname appearing being used by the application, SilverStripe
 allows the configure of a whitelist of hosts that are allowed to access the system. By defining