diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index dbe23db54f..9a9fa7b206 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2014,6 +2014,19 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
CA.
+
+ To prevent server spoofing from occurring when using
+ scram-sha-256 password authentication
+ over a network, you should ensure that you connect to the server using SSL
+ and with one of the anti-spoofing methods described in the previous
+ paragraph. Additionally, the SCRAM implementation in
+ libpq cannot protect the entire authentication
+ exchange, but using the channel_binding=require connection
+ parameter provides a mitigation against server spoofing. An attacker that
+ uses a rogue server to intercept a SCRAM exchange can use offline analysis to
+ determine the hashed password from the client.
+
+
To prevent spoofing with GSSAPI, the server must be configured to accept
only hostgssenc connections