diff --git a/README.md b/README.md
index 52b678db..0fd70c65 100644
--- a/README.md
+++ b/README.md
@@ -214,6 +214,14 @@ Settings are stored in [YAML format](https://en.wikipedia.org/wiki/YAML), possib
    * `range_start` - start IP address of the controlled range.  
    * `range_end` - end IP address of the controlled range.
    * `lease_duration` - lease duration in seconds. If 0, using default duration (2 hours).
+ * `tls` - HTTPS/DOH/DOT settings.
+   * `enabled` - encryption (DOT/DOH/HTTPS) status.
+   * `server_name` - the hostname of your HTTPS/TLS server.
+   * `force_https` - if true, forces HTTP->HTTPS redirect.
+   * `port_https` - HTTPS port. If 0, HTTPS will be disabled.
+   * `port_dns_over_tls` - DNS-over-TLS port. If 0, DOT will be disabled.
+   * `certificate_chain` - PEM-encoded certificates chain.
+   * `private_key` - PEM-encoded private key.
  * `user_rules` — User-specified filtering rules.
  * `log_file` — Path to the log file. If empty, writes to stdout, if `syslog` -- system log (or eventlog on Windows).
  * `verbose` — Enable our disables debug verbose output.
diff --git a/dnsforward/dnsforward.go b/dnsforward/dnsforward.go
index 54695c6f..785f32b7 100644
--- a/dnsforward/dnsforward.go
+++ b/dnsforward/dnsforward.go
@@ -72,8 +72,8 @@ type FilteringConfig struct {
 
 type TLSConfig struct {
 	TLSListenAddr    *net.TCPAddr `yaml:"-" json:"-"`
-	CertificateChain string       `yaml:"certificate_chain" json:"certificate_chain"`
-	PrivateKey       string       `yaml:"private_key" json:"private_key"`
+	CertificateChain string       `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
+	PrivateKey       string       `yaml:"private_key" json:"private_key"`             // PEM-encoded private key
 }
 
 // ServerConfig represents server configuration.