From a8e3f4ef2694cab536d229424f50f97cce598366 Mon Sep 17 00:00:00 2001
From: jasonwitty <jasonpwitty@proton.me>
Date: Fri, 22 Aug 2025 22:39:18 -0700
Subject: [PATCH] docs: describe --verify-hostname flag and default relaxed SAN
 behavior

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 1dbe374..bb47669 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,8 @@ socktop ws://HOST:3000/ws
 socktop "ws://HOST:3000/ws?token=changeme"
 # TLS with pinned server certificate (recommended over the internet):
 socktop --tls-ca /path/to/cert.pem wss://HOST:8443/ws
+# (By default hostname/SAN verification is skipped for ease on home networks. To enforce it add --verify-hostname)
+socktop --verify-hostname --tls-ca /path/to/cert.pem wss://HOST:8443/ws
 # shorthand:
 socktop -t /path/to/cert.pem wss://HOST:8443/ws
 # Note: providing --tls-ca/-t automatically upgrades ws:// to wss:// if you forget
@@ -397,6 +399,7 @@ socktop --tls-ca /path/to/agent/cert.pem wss://HOST:8443/ws
 Notes:
 - Do not copy the private key off the server; only the cert.pem is needed by clients.
 - When --tls-ca/-t is supplied, the client auto‑upgrades ws:// to wss:// to avoid protocol mismatch.
+- Hostname (SAN) verification is DISABLED by default (the cert is still pinned). Use `--verify-hostname` to enable strict SAN checking.
 - You can run multiple clients with different cert paths by passing --tls-ca per invocation.
 
 ---