From a2814ca3fef430baf6d5154f0b91bd3ce4b8912b Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Tue, 14 Apr 2026 10:01:10 +0200
Subject: [PATCH] docs: self-hosting rate limit header

Add note about requiring a trusted upstream proxy for rate-limit header
---
 README.md   | 2 +-
 example.env | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fec66a4dda..6e29e4ca93 100644
--- a/README.md
+++ b/README.md
@@ -206,7 +206,7 @@ Use this to disable phone signups (users can still use external OAuth providers
 
 `GOTRUE_RATE_LIMIT_HEADER` - `string`
 
-Header on which to rate limit the `/token` endpoint.
+Header on which to rate limit the `/token` endpoint. This header is expected to be set by a trusted upstream proxy (such as Kong or Envoy). Headers such as `x-forwarded-for` are spoofable and can not be trusted for rate limiting when supplied directly by the client.
 
 `GOTRUE_RATE_LIMIT_EMAIL_SENT` - `string`
 
diff --git a/example.env b/example.env
index b988246435..692606ab72 100644
--- a/example.env
+++ b/example.env
@@ -245,6 +245,8 @@ GOTRUE_SECURITY_REFRESH_TOKEN_ROTATION_ENABLED="false"
 GOTRUE_SECURITY_REFRESH_TOKEN_REUSE_INTERVAL="0"
 GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION="false"
 GOTRUE_OPERATOR_TOKEN="unused-operator-token"
+
+# Trusted rate limiting header - this should be set by a trusted upstream proxy
 GOTRUE_RATE_LIMIT_HEADER="X-Forwarded-For"
 GOTRUE_RATE_LIMIT_EMAIL_SENT="100"