diff --git a/app/vmauth/README.md b/app/vmauth/README.md
index c5c8d3054..eff0ac7e5 100644
--- a/app/vmauth/README.md
+++ b/app/vmauth/README.md
@@ -124,6 +124,8 @@ This may be useful for passing secrets to the config.
 
 ## Security
 
+It is expected that all the backend services protected by `vmauth` are located in an isolated private network, so they can be accessed by external users only via `vmauth`.
+
 Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable https. This can be done by passing the following `-tls*` command-line flags to `vmauth`:
 
 ```
diff --git a/docs/vmauth.md b/docs/vmauth.md
index 82491b702..5edd39bba 100644
--- a/docs/vmauth.md
+++ b/docs/vmauth.md
@@ -128,6 +128,8 @@ This may be useful for passing secrets to the config.
 
 ## Security
 
+It is expected that all the backend services protected by `vmauth` are located in an isolated private network, so they can be accessed by external users only via `vmauth`.
+
 Do not transfer Basic Auth headers in plaintext over untrusted networks. Enable https. This can be done by passing the following `-tls*` command-line flags to `vmauth`:
 
 ```