diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
index 39254d783..bced6b204 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java
@@ -29,7 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @since 8/20/17.
  */
 @AssignmentPath("/PasswordReset/reset")
-@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5"})
+@AssignmentHints({"password-reset-hint1", "password-reset-hint2", "password-reset-hint3", "password-reset-hint4", "password-reset-hint5", "password-reset-hint6"})
 public class ResetLinkAssignment extends AssignmentEndpoint {
 
     private static final String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
diff --git a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
index 063e1d3b5..ee58663a6 100644
--- a/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties
@@ -13,9 +13,10 @@ password-reset-solved=Congratulations you solved the assignment, please type in
 password-reset-not-solved=Sorry but you did not redirect the reset link to WebWolf
 
 password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
-password-reset-hint2=Look at the link, can you think how the server creates this link?
+password-reset-hint2=Look at the link, can you think of how the server creates this link?
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
 password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090?
-password-reset-hint5=Intercept the request and change the host header
+password-reset-hint5=Intercept the request and change the host header.
+password-reset-hint6=For intercepting the request you have to use a proxy. Check the <a href="./start.mvc#lesson/HttpProxies.lesson" target="_blank">HTTP-Proxies Lesson</a> in the general category if you're unfamiliar with using proxies.<br/><span style="color: red;"><strong>Important:</strong> There seem to be problems when modifying the request header with <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project" target="_blank">ZAP</a>. We recommend to use <a href="https://portswigger.net/" target="_blank">Burp</a> instead.</span>
 login_failed=Login failed
 login_failed.tom=Sorry only Tom can login at the moment
\ No newline at end of file
diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
index e3601c000..22ca278b5 100644
--- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
+++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc
@@ -12,7 +12,7 @@ The time out is necessary to restrict the attack window, having a link opens up
 
 == Assignment
 
-Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
 that password. Note: it is not possible to use OWASP ZAP for this lesson.
 
+Tom always resets his password immediately after receiving the email with the link.