diff --git a/source/_posts/caddy-upgrade-v2-proxy.md b/source/_posts/caddy-upgrade-v2-proxy.md
index 589f6b5..d125232 100644
--- a/source/_posts/caddy-upgrade-v2-proxy.md
+++ b/source/_posts/caddy-upgrade-v2-proxy.md
@@ -2,6 +2,7 @@
 title: Upgrading Caddy reverse proxy from v1 to v2 syntax
 excerpt: route, strip_prefix, rewrite
 date: 2020-05-23
+lastUpdated: 2020-05-28
 tags:
 - server
 - caddy
@@ -172,6 +173,18 @@ example.com www.example.com {
 }
 ```
 
+## header and reverse_proxy
+
+`header` directive still keeps similar syntax, but operates a bit different. In v2, when used alongside with `reverse_proxy`, Caddy modifies the header _before_ receiving header response from the backend. This behaviour is apparent when you want to replace existing header(s); instead of replacing, Caddy adds the header and results in duplicate headers. To avoid this issue, you should use `defer`:
+
+``` plain v2
+  header {
+    -server
+    Referrer-Policy "no-referrer"
+    defer
+  }
+```
+
 ## Disable HTTP -> HTTPS redirects
 
 In v2, Caddy automatically listens on HTTP (port 80) and redirects to HTTPS, whereas in v1, you need add a separate `redir 301`. This is handy is most use cases, but doesn't apply to my {% post_link caddy-nixos-part-3 'use case' %}--listens on HTTPS only.