From 5a406933b701074d7c71540cb5b9317aac8052d5 Mon Sep 17 00:00:00 2001
From: Max Chernoff <git@maxchernoff.ca>
Date: Tue, 10 Jun 2025 01:40:47 -0600
Subject: [PATCH] `per_host` metrics may contain unconfigured hosts

Fixes caddyserver/caddy#7055.
---
 src/docs/markdown/caddyfile/options.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/docs/markdown/caddyfile/options.md b/src/docs/markdown/caddyfile/options.md
index d208eba..f34b826 100644
--- a/src/docs/markdown/caddyfile/options.md
+++ b/src/docs/markdown/caddyfile/options.md
@@ -1028,6 +1028,8 @@ You can add the `per_host` option to label metrics with the host name of the met
 }
 ```
 
+Note that when you enable `per_host` metrics, Caddy will create `host` labels for _all_ requests that it receives, not just for host names that Caddy is configured to respond to. This means that an attacker can trivially add arbitrary and unlimited `host` labels to your metrics, simply by modifying the value of the `Host:` HTTP request header.
+
 ##### `trace`
 
 Log each individual handler that is invoked. Requires that the log emit at `DEBUG` level ( You may do so with the [`debug` global option](#debug)).