diff --git a/architecture/authentication.adoc b/architecture/authentication.adoc
index 8cff881e9bc3..a7319ab055c0 100644
--- a/architecture/authentication.adoc
+++ b/architecture/authentication.adoc
@@ -190,7 +190,7 @@ Multiple headers can be specified using a comma-separated list. Each header is c
 
 `OPENSHIFT_OAUTH_REQUEST_HEADERS` defaults to `X-Remote-User`
 
-TODO: Add options to verify the request (e.g. client certificate checking, IP range restriction, etc) to ensure it is coming from a trusted source before using the username in the request header.
+To require requests to present a valid client certificate, set the `OPENSHIFT_OAUTH_REQUEST_HEADER_CA_FILE` environment variable to the path to a PEM-encoded certificate bundle. If set, a valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for usernames.
 
 ==== Session configuration [[config-session]]
 
@@ -308,6 +308,11 @@ OPENSHIFT_OAUTH_HANDLER=deny
 ```
 The authenticating proxy can use whatever authentication method it likes, but keep in mind that both browser and non-browser clients will need to authenticate against it.
 
+To require the proxy to present a client certificate (and ignore `Remote-User` headers unless a valid client certificate is presented):
+```
+OPENSHIFT_OAUTH_REQUEST_HEADER_CA_FILE=/path/to/certificate_authority_bundle.crt
+```
+
 ==== Google OAuth provider
 
 To use Google as an identity provider: