diff --git a/CHANGES.rst b/CHANGES.rst
index be393ad..3daeca7 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -6,7 +6,7 @@ Changes
 
 *   **Security bug fix:**
 
-    If you use ``HttpAuthMiddleware`` (i.e. the ``http_user`` and ``http_pass``
+    If you use HttpAuthMiddleware_ (i.e. the ``http_user`` and ``http_pass``
     spider attributes) for Splash authentication, any non-Splash request will
     expose your credentials to the request target. This includes ``robots.txt``
     requests sent by Scrapy when the ``ROBOTSTXT_OBEY`` setting is set to
diff --git a/README.rst b/README.rst
index 478d0fe..9b604ca 100644
--- a/README.rst
+++ b/README.rst
@@ -602,7 +602,7 @@ to ``splash_headers`` if you want to change credentials per-request::
             yield SplashRequest(url, self.parse,
                                 splash_headers={'Authorization': auth})
 
-**WARNING:** Don't use :ref:`HttpAuthMiddleware`
+**WARNING:** Don't use `HttpAuthMiddleware`_
 (i.e. ``http_user`` / ``http_pass`` spider attributes) for Splash
 authentication: if you occasionally send a non-Splash request from your spider,
 you may expose Splash credentials to a remote website, as HttpAuthMiddleware