diff --git a/demo.d/example.tconf b/demo.d/example.tconf
index 79d33cd..21ba26c 100644
--- a/demo.d/example.tconf
+++ b/demo.d/example.tconf
@@ -34,6 +34,13 @@
 #
 # set x_from_onion_value 1
 
+# Other headers to pass upstream to Origin; be careful not to tread on
+# any which are controlled elsewhere / by other means, such as "Host"
+# or "Accept-Encoding", as those MUST win. See "nginx.conf.txt" for
+# relevant code.
+#
+# set inject_headers_upstream header-name,header-value [...]
+
 # When you're proving SSL ownership, you may want arbitrary text
 # strings to be returned for a GET upon an arbitrary "/path"
 #
diff --git a/templates.d/nginx.conf.txt b/templates.d/nginx.conf.txt
index d5db481..f34308f 100644
--- a/templates.d/nginx.conf.txt
+++ b/templates.d/nginx.conf.txt
@@ -783,12 +783,13 @@ http {
 
       # a note re: proxy_set_header, add_header, similar methods, etc;
       # if you override *any* header then you will lose the other
-      # headers inherited from the parent contexts:
+      # headers inherited from the parent contexts / other scopes;
+      # ergo: they all need to be "done" in a single bank.
       # https://blog.g3rt.nl/nginx-add_header-pitfall.html
 
-      # request_rewrites and injections:
       %%IF %INJECT_HEADERS_UPSTREAM%
-      # inject_headers_upstream
+      # inject_headers_upstream;
+      # this is above the ones below in order to disambiguate which ones "win"
       %%CSV %INJECT_HEADERS_UPSTREAM%
       proxy_set_header %1% "%2%";
       %%ENDCSV