From adead686a3257c498bdab5012a75425bcb3f2fd9 Mon Sep 17 00:00:00 2001
From: Steven <steven@ceriously.com>
Date: Tue, 2 Sep 2025 15:49:10 -0400
Subject: [PATCH 1/2] doc: provide alternative to `url.parse()` using WHATWG
 URL

---
 doc/api/url.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/api/url.md b/doc/api/url.md
index 3e86e25eaf1181..d82ddb869e0329 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1847,7 +1847,15 @@ A `URIError` is thrown if the `auth` property is present but cannot be decoded.
 strings. It is prone to security issues such as [host name spoofing][]
 and incorrect handling of usernames and passwords. Do not use with untrusted
 input. CVEs are not issued for `url.parse()` vulnerabilities. Use the
-[WHATWG URL][] API instead.
+[WHATWG URL][] API instead, for example:
+
+```js
+function getURL(req) {
+  const proto = req.headers['x-forwarded-proto'] || 'https';
+  const host = req.headers['x-forwarded-host'] || req.headers.host || 'example.com';
+  return new URL(req.url || '/', `${proto}://${host}`);
+}
+```
 
 ### `url.resolve(from, to)`
 

From 2d9d1afb9b93eb9f9598e9813e60dff7891c7c50 Mon Sep 17 00:00:00 2001
From: Steven <steven@ceriously.com>
Date: Thu, 4 Sep 2025 09:46:05 -0400
Subject: [PATCH 2/2] doc: mention reverse proxy and include simple example

---
 doc/api/url.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/api/url.md b/doc/api/url.md
index d82ddb869e0329..8bde8f1161ca70 100644
--- a/doc/api/url.md
+++ b/doc/api/url.md
@@ -1857,6 +1857,16 @@ function getURL(req) {
 }
 ```
 
+The example above assumes well-formed headers are forwarded from a reverse
+proxy to your Node.js server. If you are not using a reverse proxy, you should
+use the example below:
+
+```js
+function getURL(req) {
+  return new URL(req.url || '/', 'https://example.com');
+}
+```
+
 ### `url.resolve(from, to)`
 
 <!-- YAML