diff --git a/prompts/REPO_POLICIES.md b/prompts/REPO_POLICIES.md
index 635c6df..d7c9826 100644
--- a/prompts/REPO_POLICIES.md
+++ b/prompts/REPO_POLICIES.md
@@ -179,9 +179,10 @@ style conventions are in separate documents:
           or other implementation details to the client. Return generic error
           messages in production; detailed errors only when `DEBUG` is enabled.
     - **TLS:**
-        - The service itself may terminate TLS or sit behind a TLS-terminating
-          reverse proxy, but HSTS headers and secure cookie flags must be set
-          regardless so that the browser enforces HTTPS.
+        - Services never terminate TLS directly. They are always deployed behind
+          a TLS-terminating reverse proxy. The service itself listens on plain
+          HTTP. However, HSTS headers and `Secure` cookie flags must still be
+          set by the application so that the browser enforces HTTPS end-to-end.
 
     This list is non-exhaustive. Apply defense-in-depth: if a standard security
     hardening measure exists for HTTP services and is not listed here, it is