diff --git a/book/src/frequently_asked_questions.md b/book/src/frequently_asked_questions.md
index a8f49543a..a586e85fc 100644
--- a/book/src/frequently_asked_questions.md
+++ b/book/src/frequently_asked_questions.md
@@ -52,6 +52,19 @@ configured.
 Similarly, WebAuthn and its various other names like Passkeys, FIDO2 or "scan the QR code to log in"
 will [only work over TLS](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
 
+There are a variety of ways that you can configure TLS between your load balancer and Kanidm.
+Ultimately, any option that maintains the confidentiality and integrity of the communication will
+suffice. Some options include, but are not limited to:
+
+- Generating a self-signed certificate
+  - Utilize certificate pinning to ensure that the load balancer only trusts connections made with
+  that particular certificate
+- Not terminating TLS / TLS passthrough / TCP proxy
+- Running your own certificate authority (CA)
+
+The "best" option for you will depend on a number of factors, including your threat model and the
+specifc load balancer you are using.
+
 ## OAuth2
 
 [RFC6819 - OAuth2 Threat Model and Security Considerations](https://www.rfc-editor.org/rfc/rfc6819)