From cd77ee076f9b9d1ac066cc486ec24b753a03ffbc Mon Sep 17 00:00:00 2001
From: Nick Taylor <nick@nickyt.co>
Date: Fri, 13 Feb 2026 21:23:29 +0000
Subject: [PATCH] docs(gateway): remove misleading Tailscale safety comparison

Changed 'When NOT to Use' section to avoid implying Tailscale is
'safer' than identity-aware proxies like Pomerium.

Pomerium is a security-focused identity-aware proxy - it's not less
safe than Tailscale, just a different approach (multi-user vs personal).

Updated to focus on actual inappropriate use cases:
- No authentication (TLS terminator only)
- Bypass paths exist
- Header handling uncertain
- Single-user scenarios (where Tailscale may be simpler, not safer)
---
 docs/gateway/trusted-proxy-auth.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/gateway/trusted-proxy-auth.md b/docs/gateway/trusted-proxy-auth.md
index 5a3380518b4..f4122cbe172 100644
--- a/docs/gateway/trusted-proxy-auth.md
+++ b/docs/gateway/trusted-proxy-auth.md
@@ -20,10 +20,10 @@ Use `trusted-proxy` auth mode when:
 
 ## When NOT to Use
 
-- If you can use `gateway.bind: "loopback"` with Tailscale Serve instead (simpler, safer)
-- If your proxy doesn't authenticate users (just a TLS terminator)
-- If there's any path to the Gateway that bypasses the proxy
+- If your proxy doesn't authenticate users (just a TLS terminator or load balancer)
+- If there's any path to the Gateway that bypasses the proxy (firewall holes, internal network access)
 - If you're unsure whether your proxy correctly strips/overwrites forwarded headers
+- If you only need personal single-user access (consider Tailscale Serve + loopback for simpler setup)
 
 ## How It Works