diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index c6ea822f0..e222300e4 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -308,8 +308,8 @@ server {
     add_header Cache-Control no-cache;
     add_header Set-Cookie $auth_cookie;
 
+    # To prevent header spoofing from a client, these variables must always be set (or removed with '') for all proxyAuth routes
     proxy_set_header X-App-ID "<%= proxyAuth.id %>";
-
     proxy_set_header X-Remote-User $user;
     proxy_set_header X-Remote-Email $email;
     proxy_set_header X-Remote-Name $name;