diff --git a/Optional-Hardening.md b/Optional-Hardening.md
index e3a5092..6f38e6c 100644
--- a/Optional-Hardening.md
+++ b/Optional-Hardening.md
@@ -105,6 +105,8 @@ user_pref("browser.cache.disk.enable", false);
 ```javascript
 // PREF: enforce certificate pinning
 // [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
+// 1 = allow user MiTM (such as your antivirus) (default)
+// 2 = strict
 user_pref("security.cert_pinning.enforcement_level", 2);
 ```
 
@@ -186,7 +188,7 @@ user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 ```
 
 #### Manage exceptions
-Add sites to the [exceptions list](https://support.mozilla.org/en-US/kb/dns-over-https#w_off).
+Add sites to the [exceptions list](https://support.mozilla.org/en-US/kb/dns-over-https#w_off). You shouldn't need this in most normal use cases.
 * `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
 
 ***