Improve docs

dunglas · dunglas · commit fb4f8a9a96ad · 2020-01-28T10:33:32.000+01:00
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go
@@ -25,13 +25,10 @@ import (
 // sends it to another server, proxying the response back to the
 // client.
 //
-// ReverseProxy automatically sets the client IP as the value of the
-// X-Forwarded-For header.
-// If an X-Forwarded-For header already exists, the client IP is
-// appended to the existing values.
-// To prevent IP spoofing, be sure to delete any pre-existing
-// X-Forwarded-For header coming from the client or
-// an untrusted proxy.
+// ReverseProxy automatically sets the X-Forwarded-For,
+// X-Forwarded-Host and X-Forwarded-Proto headers.
+// Previous values of these headers can be preversed by
+// setting TrustForwardedHeaders to true.
 type ReverseProxy struct {
 	// Director must be a function which modifies
 	// the request into a new request to be sent
@@ -86,11 +83,15 @@ type ReverseProxy struct {
 	ErrorHandler func(http.ResponseWriter, *http.Request, error)
 
 	// TrustForwardedHeaders specifies if X-Forwarded-For,
-	// X-Forwarded-Proto and X-Forwarded-Host headers comming from
+	// X-Forwarded-Proto and X-Forwarded-Host headers coming from
 	// the previous proxy must be trusted or not.
+	//
 	// If true, existing values of X-Forwarded-Proto and
 	// X-Forwarded-Host will be preserved, and the current client IP
-	// will be appended to the list in X-Forwarded-For.
+	// will be appended to the list in X-Forwarded-For. In this case
+	// be sure that these 3 headers are removed from the request if
+	// sent by the client to prevent spoofing attacks.
+	//
 	// If false, values of these headers will be set regardless of
 	// any existing value.
 	TrustForwardedHeaders bool
