diff --git a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthSessionController.java b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthSessionController.java
index 18c8b4d3..a7f119a9 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthSessionController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthSessionController.java
@@ -78,6 +78,15 @@ public class AuthSessionController {
         return ResponseEntity.noContent().build();
     }
 
+    /**
+     * Resolves the client IP for audit-log purposes.
+     *
+     * <p>Trust model: the leftmost {@code X-Forwarded-For} value is taken at face value.
+     * This is correct <em>only</em> if the ingress (Caddy in production) strips any
+     * client-supplied XFF before forwarding — otherwise an attacker can pin audit-log
+     * IPs to whatever they want. Verify the reverse-proxy config before exposing this
+     * service behind a different ingress.
+     */
     private static String resolveClientIp(HttpServletRequest request) {
         String forwarded = request.getHeader("X-Forwarded-For");
         if (forwarded != null && !forwarded.isBlank()) {