diff --git a/Optional-Hardening.md b/Optional-Hardening.md
index c47090c..96fda64 100644
--- a/Optional-Hardening.md
+++ b/Optional-Hardening.md
@@ -23,20 +23,24 @@ We already:
 * [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages, including insecure downloads
 * [attempt](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) to upgrade HTTP site navigation to HTTPS
 
-#### Option 1: Enable in private windows only
-Firefox will get explicit permission from you before connecting to a site insecurely in [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) windows (Firefox [incognito mode](https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing)).
+To add to your overrides, choose between two options below.
+
+#### Option 1: Private windows only
+Firefox will get explicit permission from you before connecting to a site insecurely in [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) (Firefox [incognito mode](https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing)).
 ```
 // PREF: enable HTTPS-Only Mode
-// Strict HTTPS site navigation in Private Browsing.
+// Warn me before loading sites that don't support HTTPS
+// when using Private Browsing windows.
 user_pref("dom.security.https_only_mode_pbm", true);
 user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
 ```
 
-#### Option 2: Enable in all windows
-Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing windows.
+#### Option 2: All windows
+Firefox will get explicit permission from you before connecting to a site insecurely in Normal and Private Browsing.
 ```
 // PREF: enable HTTPS-Only Mode
-// Strict HTTPS site navigation in Normal and Private Browsing.
+// Warn me before loading sites that don't support HTTPS
+// in both Normal and Private Browsing windows.
 user_pref("dom.security.https_only_mode", true);
 user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
 ```
@@ -55,15 +59,20 @@ user_pref("network.cookie.sameSite.schemeful", true);
 ***
 
 ### Secure DNS (DoH setup)
-1) `network.trr.uri`: Use the one provided, or customize how DoH protects you.
-   * [Create a profile](https://nextdns.io/?from=xujj63g5) with NextDNS and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config).
+#### Provider
+* Use the one below, or [choose](https://github.com/curl/curl/wiki/DNS-over-HTTPS) your preferred provider.
+* We recommend that you [create a profile](https://nextdns.io/?from=xujj63g5) with NextDNS and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config).
+```
+// PREF: set DoH provider
+user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
+```
 
-2) `network.trr.mode`: Set to `2` if your work or university doesn't allow alternative DNS.
-   * `3` has site-exceptions with a nice UI on the error page:
-      * Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
+#### Mode
+* Set to `2` if your work or university causes issues with alternative DNS.
+* `3` has site-exceptions with a nice UI on the error page:
+    * Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
 ```
 // PREF: enforce DNS-over-HTTPS (DoH)
-user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
 user_pref("network.trr.mode", 3);
 user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 ```