symfony · javiereguiluz · Jan 18, 2017 · Jan 22, 2017 · xabbuh · Jan 18, 2017
diff --git a/components/http_foundation/trusting_proxies.rst b/components/http_foundation/trusting_proxies.rst
@@ -17,19 +17,20 @@ the actual host may be stored in an ``X-Forwarded-Host`` header.
 
 Since HTTP headers can be spoofed, Symfony does *not* trust these proxy
 headers by default. If you are behind a proxy, you should manually whitelist
-your proxy.
-
-.. versionadded:: 2.3
-    CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole
-    subnets (e.g. ``10.0.0.0/8``, ``fc00::/7``).
+your proxy as follows:
 
 .. code-block:: php
 
     use Symfony\Component\HttpFoundation\Request;
 
-    // only trust proxy headers coming from this IP addresses
+    // put this code as early as possible in your application (e.g. in your
+    // front controller) to only trust proxy headers coming from these IP addresses
     Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8'));
 
+.. versionadded:: 2.3
+    CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole
+    subnets (e.g. ``10.0.0.0/8``, ``fc00::/7``).
+
 You should also make sure that your proxy filters unauthorized use of these
 headers, e.g. if a proxy natively uses the ``X-Forwarded-For`` header, it
 should not allow clients to send ``Forwarded`` headers to Symfony.