diff --git a/docs/production/deployment.md b/docs/production/deployment.md
index ee41bcb0b1..214fd0eccd 100644
--- a/docs/production/deployment.md
+++ b/docs/production/deployment.md
@@ -455,6 +455,7 @@ that your Zulip server sits at `https://10.10.10.10:443`; see
 
            location / {
                    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+                   proxy_set_header        X-Forwarded-Proto $scheme;
                    proxy_set_header        Host $http_host;
                    proxy_http_version      1.1;
                    proxy_buffering         off;
@@ -555,6 +556,8 @@ your Zulip server sits at `https://10.10.10.10:443`see
        bind *:80
        bind *:443 ssl crt /etc/ssl/private/zulip-combined.crt
        http-request redirect scheme https code 301 unless { ssl_fc }
+       http-request set-header X-Forwarded-Proto http unless { ssl_fc }
+       http-request set-header X-Forwarded-Proto https if { ssl_fc }
        default_backend zulip
 
    backend zulip
@@ -580,6 +583,13 @@ things you need to be careful about when configuring it:
    has the actual IP addresses of clients, not the IP address of the
    proxy server.
 
+1. Configure your reverse proxy (or proxies) to correctly maintain the
+   `X-Forwarded-Proto` HTTP header, which is supposed to contain either `https`
+   or `http` depending on the connection between your browser and your
+   proxy. This will be used by Django to perform CSRF checks regardless of your
+   connection mechanism from your proxy to Zulip. Note that the proxies _must_
+   set the header, overriding any existing values, not add a new header.
+
 1. Configure your proxy to pass along the `Host:` header as was sent
    from the client, not the internal hostname as seen by the proxy.
    If this is not possible, you can set `USE_X_FORWARDED_HOST = True`