Possible security problems exposing Radicale to the internet?

[OIRNOIR]

I'm installing Radicale and was confused by this language in the installation guide:
In the reverse proxy section, it says that "Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user." Does this mean that someone without my credentials will be able to access my Radicale remotely? Is it only if the X-Remote-User header is passed? Am I safe if requests are not allowed except through nginx?

[Unrud]

If auth-type is set to http_x_remote_user, the user will be set via the X-Remote-User header without any further restrictions. Clients must not be allowed to pass the header in this case.
If auth-type is set to something different, the header is ignored.

[OIRNOIR]

If auth-type is set to http_x_remote_user, the user will be set via the X-Remote-User header without any further restrictions. Clients must not be allowed to pass the header in this case. If auth-type is set to something different, the header is ignored.

I see. Thank you, that clears up my confusion. My auth type is set to htpasswd and I chose not to pass the X-Remote-User header so I should be fine.

[pbiering]

I will review this part of documentation next to add some clarifications and when a reverse proxy is strongly recommended.