diff --git a/docs/toolhive/reference/cli/thv_run.md b/docs/toolhive/reference/cli/thv_run.md
index 981e07f2..5338ab03 100644
--- a/docs/toolhive/reference/cli/thv_run.md
+++ b/docs/toolhive/reference/cli/thv_run.md
@@ -134,6 +134,7 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]
       --tools stringArray                       Filter MCP server tools (comma-separated list of tool names)
       --tools-override string                   Path to a JSON file containing overrides for MCP server tools names and descriptions
       --transport string                        Transport mode (sse, streamable-http or stdio)
+      --trust-proxy-headers                     Trust X-Forwarded-* headers from reverse proxies (X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Prefix)
   -v, --volume stringArray                      Mount a volume into the container (format: host-path:container-path[:ro])
 ```
 
diff --git a/static/api-specs/toolhive-api.yaml b/static/api-specs/toolhive-api.yaml
index 52cac119..35a2626a 100644
--- a/static/api-specs/toolhive-api.yaml
+++ b/static/api-specs/toolhive-api.yaml
@@ -195,7 +195,10 @@ components:
             This is embedded in the URL.
           type: integer
         proxy_mode:
-          description: ProxyMode is the proxy mode for stdio transport (sse or streamable-http).
+          description: |-
+            ProxyMode is the proxy mode that clients should use to connect.
+            For stdio transports, this will be the proxy mode (sse or streamable-http).
+            For direct transports (sse/streamable-http), this will be the same as TransportType.
           type: string
         remote:
           description: Remote indicates whether this is a remote workload (true) or
@@ -245,9 +248,21 @@ components:
           description: Whether to print resolved overlay paths for debugging
           type: boolean
       type: object
+    permissions.InboundNetworkPermissions:
+      description: Inbound defines inbound network permissions
+      properties:
+        allow_host:
+          description: AllowHost is a list of allowed hosts for inbound connections
+          items:
+            type: string
+          type: array
+          uniqueItems: false
+      type: object
     permissions.NetworkPermissions:
       description: Network defines network permissions
       properties:
+        inbound:
+          $ref: '#/components/schemas/permissions.InboundNetworkPermissions'
         outbound:
           $ref: '#/components/schemas/permissions.OutboundNetworkPermissions'
       type: object
@@ -842,6 +857,10 @@ components:
           - TransportTypeSSE
           - TransportTypeStreamableHTTP
           - TransportTypeInspector
+        trust_proxy_headers:
+          description: TrustProxyHeaders indicates whether to trust X-Forwarded-*
+            headers from reverse proxies
+          type: boolean
         volumes:
           description: |-
             Volumes are the directory mounts to pass to the container
@@ -1180,6 +1199,9 @@ components:
         transport:
           description: Transport configuration
           type: string
+        trust_proxy_headers:
+          description: Whether to trust X-Forwarded-* headers from reverse proxies
+          type: boolean
         url:
           description: Remote server specific fields
           type: string
@@ -1533,6 +1555,9 @@ components:
         transport:
           description: Transport configuration
           type: string
+        trust_proxy_headers:
+          description: Whether to trust X-Forwarded-* headers from reverse proxies
+          type: boolean
         url:
           description: Remote server specific fields
           type: string