diff --git a/authelia/configuration.yml b/authelia/configuration.yml
index 52ba4ab..f4d86c0 100644
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -25,6 +25,7 @@ theme: 'light'
 identity_validation:
   reset_password:
     jwt_secret: '${AUTHELIA_JWT_SECRET}'
+  # Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail.
 
 ## TOTP Configuration
 totp:
@@ -100,7 +101,8 @@ authentication_backend:
 ## Access Control Configuration
 access_control:
   ## Default Policy
-  default_policy: 'deny'
+  # Baseline policy when no rule matches. Choose two_factor for stronger default.
+  default_policy: 'two_factor'
 
   ## Networks (optional, for IP-based rules)
   networks:
@@ -112,11 +114,11 @@ access_control:
 
   ## Rules
   rules:
-    ## Authelia itself
-  - domain: 'auth.gate.3launchpad.com'
+    # Authelia portal itself is bypassed so users can reach the login UI
+    - domain: 'auth.gate.3launchpad.com'
       policy: 'bypass'
 
-    ## Admin access
+    # Admin-only services require 2FA and membership in admins group
     - domain:
         - 'traefik.gate.3launchpad.com'
         - 'portainer.gate.3launchpad.com'
@@ -124,7 +126,7 @@ access_control:
       subject:
         - 'group:admins'
 
-    ## General protected services
+    # All other subdomains require at least one factor
     - domain: '*.gate.3launchpad.com'
       policy: 'one_factor'
 
@@ -167,7 +169,7 @@ regulation:
 ## Storage Configuration
 storage:
   ## Encryption key is required (newer versions). Provide via env var.
-  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
+  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts
   local:
     path: '/config/db.sqlite3'