From e399f0df211441b89eaaa213b7cfb32e829a1c1b Mon Sep 17 00:00:00 2001
From: Thien-Thi Nguyen <ttn@gnuvola.org>
Date: Wed, 11 Aug 2021 05:02:24 -0400
Subject: add reverse-proxy ref to leak note -- note FIXME

---
 taler-merchant-manual.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst
index 36d9a639..d6ad2d4e 100644
--- a/taler-merchant-manual.rst
+++ b/taler-merchant-manual.rst
@@ -785,6 +785,8 @@ it twice, first creating the ``default`` instance, then creating normal ones.
   This means unauthorized users can distinguish between the case where the
   instance does not exist (HTTP 404) and the case where access is denied
   (HTTP 403).
+  This is all moot behind a properly configured reverse-proxy.
+  FIXME: Link to primary reverse-proxy documentation.
 
 
 KUDOS Accounts
-- 
cgit v1.2.3