From b1c2c79d80a153b09b5318c8b2fa488735bf25d2 Mon Sep 17 00:00:00 2001
From: jonaswinkler <17569239+jonaswinkler@users.noreply.github.com>
Date: Wed, 3 Mar 2021 23:58:53 +0100
Subject: [PATCH] update docs

---
 docs/configuration.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/configuration.rst b/docs/configuration.rst
index 7ffab20d7..48b09213d 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -191,6 +191,16 @@ PAPERLESS_ENABLE_HTTP_REMOTE_USER=<bool>
     Allows authentication via HTTP_REMOTE_USER which is used by some SSO
     applications.
 
+    .. warning::
+
+        This will allow authentication by simply adding a ``Remote-User: <username>`` header
+        to a request. Use with care! You especially *must* ensure that any such header is not
+        passed from your proxy server to paperless.
+
+        If you're exposing paperless to the internet directly, do not use this.
+
+        Also see the warning `in the official documentation <https://docs.djangoproject.com/en/3.1/howto/auth-remote-user/#configuration>`.
+
     Defaults to `false` which disables this feature.
     
 PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=<str>