diff --git a/README.md b/README.md
index fec66a4dd..6e29e4ca9 100644
--- a/README.md
+++ b/README.md
@@ -206,7 +206,7 @@ Use this to disable phone signups (users can still use external OAuth providers
 
 `GOTRUE_RATE_LIMIT_HEADER` - `string`
 
-Header on which to rate limit the `/token` endpoint.
+Header on which to rate limit the `/token` endpoint. This header is expected to be set by a trusted upstream proxy (such as Kong or Envoy). Headers such as `x-forwarded-for` are spoofable and can not be trusted for rate limiting when supplied directly by the client.
 
 `GOTRUE_RATE_LIMIT_EMAIL_SENT` - `string`
 
diff --git a/example.env b/example.env
index b98824643..692606ab7 100644
--- a/example.env
+++ b/example.env
@@ -245,6 +245,8 @@ GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED="false"
 GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL="0"
 GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION="false"
 GOTRUE_OPERATOR_TOKEN="unused-operator-token"
+
+# Trusted rate limiting header - this should be set by a trusted upstream proxy
 GOTRUE_RATE_LIMIT_HEADER="X-Forwarded-For"
 GOTRUE_RATE_LIMIT_EMAIL_SENT="100"