Document blocked headers for WebSocket Playground proxy

fern/products/docs/pages/api-references/api-explorer.mdx

@@ -67,6 +67,22 @@ For APIs that support WebSocket connections, the API Explorer includes a **WebSo
 
 <div style="position: relative; padding-bottom: 56.2%; height: 0;"><iframe src="https://www.loom.com/embed/be4da30404794e9983c4fe639f78d4c8?sid=73b7aeda-98fa-4531-87ed-1e5909500fe2?hide_owner=true&hide_share=true&hide_title=true&hideEmbedTopBar=true" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>
 
+### Blocked headers
+
+The WebSocket proxy strips certain headers during the connection handshake for security. Custom headers defined in your API definition (such as authentication headers) are forwarded normally. The following headers are blocked:
+
+<Accordion title="Blocked header list">
+- `Host`, `Origin`, `Referer`
+- `X-Forwarded-For`, `X-Forwarded-Host`, `X-Forwarded-Proto`, `X-Forwarded-Port`, `Forwarded`
+- `X-Real-IP`, `True-Client-IP`
+- `Connection`, `Keep-Alive`, `Transfer-Encoding`, `TE`, `Trailer`, `Via`
+- `Upgrade`
+- `Proxy-Authorization`, `Proxy-Connection`
+- `Cookie`, `Set-Cookie`
+- `X-Request-Id`
+- Cloudflare headers: `CF-Connecting-IP`, `CF-IPCountry`, `CF-Ray`, `CF-Visitor`
+</Accordion>
+
 ## Control API Explorer availability
 
 For OpenAPI specs, the API Explorer is enabled by default for all endpoints. You can disable it globally or per endpoint using the [`x-fern-explorer`](/learn/api-definitions/openapi/extensions/api-explorer-control) extension. This is commonly used to disable the Explorer for destructive operations, payment processing, or admin-only endpoints.