From ff1204441f5bdeefaec3efa6ba741497a71f5daf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Thu, 27 Mar 2025 10:57:11 +0100
Subject: Add a paragraph about HTTP/2 compressed headers security risk

---
 doc/src/guide/protocols.asciidoc | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'doc/src')

diff --git a/doc/src/guide/protocols.asciidoc b/doc/src/guide/protocols.asciidoc
index cd6de2c..daf2d66 100644
--- a/doc/src/guide/protocols.asciidoc
+++ b/doc/src/guide/protocols.asciidoc
@@ -65,6 +65,15 @@ cancellation mechanism which allows Gun to inform the
 server to stop sending a response for this particular
 request, saving resources.
 
+Note that because HTTP/2 headers are compressed, there
+are scenarios where it is possible to probe or extract
+data, creating security risks. One scenario being the
+use of Gun as a proxy to create a single connection to
+an origin, with requests coming from multiple mutually
+distrustful entities. Gun will provide configuration
+options to restrict headers that can be compressed in
+a future release.
+
 === Websocket
 
 Websocket is a binary protocol built on top of HTTP that
-- 
cgit v1.2.3