Meagre documentation

DEVELOPER.md

@@ -1,5 +1,23 @@
 # Developer instructions
 
+## Production deployments
+
+### Environment variables
+
+It's important to set `DUO_ENV=prod`.
+
+### Proxies
+
+Note also that `X-Forwarded-For` headers are treated as user's real IP. It's
+important to configure your server not to allow `X-Forwarded-For` to be
+overriden by the client, otherwise malicious users can spoof their IP address,
+which will allow them to partially bypass rate limits and bans.
+
+Whether `X-Forwarded-For` is used or not should probably be configurable, but
+it's not. Instead, if your server setup doesn't protect `X-Forwarded-For` headers
+from tampering, you'll need to remove the use of
+`werkzeug.middleware.proxy_fix.ProxyFix`.
+
 ## Running the tests
 
 Install these: