From c1db7066775b4a01b2dfd14363a29c223f473fdd Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Mon, 9 Mar 2026 12:44:39 +1300
Subject: [PATCH] Update inline TLS verification docs for healthcheck and link
 checks

---
 cmd/readyz.go                | 3 ++-
 internal/linkcheck/status.go | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cmd/readyz.go b/cmd/readyz.go
index 7d795f6..07449e4 100644
--- a/cmd/readyz.go
+++ b/cmd/readyz.go
@@ -41,7 +41,8 @@ settings to determine the HTTP bind interface & port.
 			IdleConnTimeout:       time.Second * 5,
 			ExpectContinueTimeout: time.Second * 5,
 			TLSHandshakeTimeout:   time.Second * 5,
-			// do not verify TLS in case this instance is using HTTPS
+			// do not verify TLS if this instance is using HTTPS as we connect using IP
+			// so won't be the same as the cert
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec
 		}
 		client := &http.Client{Transport: conf}
diff --git a/internal/linkcheck/status.go b/internal/linkcheck/status.go
index 703d1b1..b616629 100644
--- a/internal/linkcheck/status.go
+++ b/internal/linkcheck/status.go
@@ -81,6 +81,7 @@ func doHead(link string, followRedirects bool) (int, error) {
 	}
 
 	if config.AllowUntrustedTLS {
+		// user has explicitly allowed untrusted TLS, so we will not verify it for link checks
 		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec
 	}