diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index dbe23db54f..a3f4b258f7 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2014,6 +2014,18 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    CA.
   </para>
 
+  <para>
+   To prevent server spoofing from occurring when using
+   <link linkend="auth-password">scram-sha-256</link> password authentication
+   over a network, you should ensure you are connecting using SSL. Additionally,
+   the SCRAM implementation in <application>libpq</application> cannot protect
+   the entire authentication exchange, but using the
+   <literal>channel_binding=require</literal> connection parameter provides a
+   mitigation against server spoofing. An attacker that uses a rogue server to
+   intercept a SCRAM exchange can use offline analysis to determine the hashed
+   password from the client.
+  </para>
+
   <para>
     To prevent spoofing with GSSAPI, the server must be configured to accept
     only <literal>hostgssenc</literal> connections