From 1711030cb566d2e837c475af7eea168996b3b0bd Mon Sep 17 00:00:00 2001
From: Daniel Quinn <code@danielquinn.org>
Date: Wed, 4 Jan 2017 11:37:26 +0000
Subject: [PATCH] Not xss, but host header

---
 paperless.conf.example | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/paperless.conf.example b/paperless.conf.example
index 6e997cbf7..3fb6ceb4b 100644
--- a/paperless.conf.example
+++ b/paperless.conf.example
@@ -95,7 +95,9 @@ PAPERLESS_SHARED_SECRET=""
 
 # If you're planning on putting Paperless on the open internet, then you
 # really should set this value to the domain name you're using.  Failing to do
-# so leaves you open to XSS attacks.
+# so leaves you open to HTTP host header attacks:
+# https://docs.djangoproject.com/en/1.10/topics/security/#host-headers-virtual-hosting
+#
 # Just remember that this is a comma-separated list, so "example.com" is fine,
 # as is "example.com,www.example.com", but NOT " example.com" or "example.com,"
 #PAPERLESS_ALLOWED_HOSTS="example.com,www.example.com"