diff --git a/deployment/proxies.rst b/deployment/proxies.rst
index 12bf3f1cac1..a7e0aff99b2 100644
--- a/deployment/proxies.rst
+++ b/deployment/proxies.rst
@@ -35,15 +35,22 @@ and what headers your reverse proxy uses to send information::
         ['192.0.0.1', '10.0.0.0/8'],
 
         // trust *all* "X-Forwarded-*" headers
-        Request::HEADER_X_FORWARDED_ALL
+        Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
 
         // or, if your proxy instead uses the "Forwarded" header
         // Request::HEADER_FORWARDED
 
-        // or, if you're using AWS ELB
+        // or, if you're using a wellknown proxy
         // Request::HEADER_X_FORWARDED_AWS_ELB
+        // Request::HEADER_X_FORWARDED_TRAEFIK
     );
 
+.. caution::
+
+    Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
+    application to "`HTTP Host header attacks`_". Make sure the proxy really
+    send a ``x-forwarded-host`` header.
+
 The Request object has several ``Request::HEADER_*`` constants that control exactly
 *which* headers from your reverse proxy are trusted. The argument is a bit field,
 so you can also pass your own value (e.g. ``0b00110``).
@@ -114,3 +121,4 @@ In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
 .. _`security groups`: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
 .. _`CloudFront`: https://en.wikipedia.org/wiki/Amazon_CloudFront
 .. _`CloudFront IP ranges`: https://ip-ranges.amazonaws.com/ip-ranges.json
+.. _`HTTP Host header attacks`: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
diff --git a/migration.rst b/migration.rst
index fa8c2bfc24b..5c786c103b9 100644
--- a/migration.rst
+++ b/migration.rst
@@ -262,7 +262,7 @@ could look something like this::
     if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? $_ENV['TRUSTED_PROXIES'] ?? false) {
         Request::setTrustedProxies(
           explode(',', $trustedProxies),
-          Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST
+          Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
         );
     }