From 4896cc94384e227ea1a9f9b6a819d4b4ad57ae6d Mon Sep 17 00:00:00 2001
From: DarthSim <darthsim@gmail.com>
Date: Thu, 13 Feb 2020 15:42:20 +0600
Subject: [PATCH] Add warning to the IMGPROXY_ALLOWED_SOURCES docs

---
 docs/configuration.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/configuration.md b/docs/configuration.md
index 2e4132b0..288ca1b1 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -69,6 +69,8 @@ You can limit allowed source URLs:
 
 * `IMGPROXY_ALLOWED_SOURCES`: whitelist of source image URLs prefixes divided by comma. When blank, imgproxy allows all source image URLs. Example: `s3://,https://example.com/,local://`. Default: blank.
 
+**Warning:** Be careful when using this config to limit source URL hosts, and always add a trailing slash after the host. Bad: `http://example.com`, good: `http://example.com/`. If you don't add a trailing slash, `http://example.com@baddomain.com` will be an allowed URL but the request will be made to `baddomain.com`.
+
 When you use imgproxy in a development environment, it can be useful to ignore SSL verification:
 
 * `IMGPROXY_IGNORE_SSL_VERIFICATION`: when true, disables SSL verification, so imgproxy can be used in a development environment with self-signed SSL certificates.