From 9daa8464572c55bb1d9b09a83fd200c78758dbd3 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Tue, 27 Jan 2026 05:47:45 +0000
Subject: [PATCH] docs(bluebubbles): note reverse-proxy localhost trust caveat

---
 docs/channels/bluebubbles.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/channels/bluebubbles.md b/docs/channels/bluebubbles.md
index a1f4a0892..914dc3664 100644
--- a/docs/channels/bluebubbles.md
+++ b/docs/channels/bluebubbles.md
@@ -218,6 +218,7 @@ Prefer `chat_guid` for stable routing:
 ## Security
 - Webhook requests are authenticated by comparing `guid`/`password` query params or headers against `channels.bluebubbles.password`. Requests from `localhost` are also accepted.
 - Keep the API password and webhook endpoint secret (treat them like credentials).
+- Localhost trust means a same-host reverse proxy can unintentionally bypass the password. If you proxy the gateway, require auth at the proxy and configure `gateway.trustedProxies`. See [Gateway security](/gateway/security#reverse-proxy-configuration).
 - Enable HTTPS + firewall rules on the BlueBubbles server if exposing it outside your LAN.
 
 ## Troubleshooting