diff --git a/docker/content.md b/docker/content.md
index cf91c429c..4c8a2675b 100644
--- a/docker/content.md
+++ b/docker/content.md
@@ -18,9 +18,9 @@ If you are still convinced that you need Docker-in-Docker and not just access to
 
 ## TLS
 
-Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates the directory specified by the `DOCKER_TLS_CERTDIR` environment variable.
+Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates in the directory specified by the `DOCKER_TLS_CERTDIR` environment variable.
 
-**Warning:** in 18.09, this behavior is disabled by default (for compatibility) but can be enabled by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default.
+**Warning:** in 18.09, this behavior is disabled by default (for compatibility). If you use `--network=host`, shared network namespaces (as in Kubernetes pods), or otherwise have network access to the container (including containers started within the `dind` instance via their gateway interface), this is a potential security issue (which can lead to access to the host system, for example). It is recommended to enable TLS by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default.
 
 When enabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2376 --tlsverify ...` (and when disabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2375`).