diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 5591e44ec..2fc1915be 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -931,6 +931,9 @@
  * Requires: POLARSSL_SSL_TLS_C
  *           POLARSSL_POLARSSL_PROTO_DTLS
  *
+ * \warning Disabling this is often a security risk!
+ * See ssl_set_dtls_anti_replay() for details.
+ *
  * Comment this to disable anti-replay in DTLS.
  */
 #define POLARSSL_SSL_DTLS_ANTI_REPLAY
@@ -945,6 +948,8 @@
  * unless you know for sure amplification cannot be a problem in the
  * environment in which your server operates.
  *
+ * \warning Disabling this can ba a security risk! (see above)
+ *
  * Requires: POLARSSL_SSL_SRV_C
  *           POLARSSL_POLARSSL_PROTO_DTLS
  *
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 91f92f923..0c167bd01 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1279,10 +1279,17 @@ void ssl_set_dtls_cookies( ssl_context *ssl,
 /**
  * \brief          Enable or disable anti-replay protection for DTLS.
  *                 (DTLS only, no effect on TLS.)
- *                 Default: enebled.
+ *                 Default: enabled.
  *
  * \param ssl      SSL context
  * \param mode     SSL_ANTI_REPLAY_ENABLED or SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
  */
 void ssl_set_dtls_anti_replay( ssl_context *ssl, char mode );
 #endif /* POLARSSL_SSL_DTLS_ANTI_REPLAY */