diff --git a/vaultwarden.subdomain.conf.sample b/vaultwarden.subdomain.conf.sample
index c92af40..5630392 100644
--- a/vaultwarden.subdomain.conf.sample
+++ b/vaultwarden.subdomain.conf.sample
@@ -62,6 +62,13 @@ server {
         # enable for Authentik (requires authentik-server.conf in the server block)
         #include /config/nginx/authentik-location.conf;
 
+        # if you enable admin page via ADMIN_TOKEN env variable
+        # consider restricting access to LAN only via uncommenting the following lines
+        #allow 10.0.0.0/8;
+        #allow 172.16.0.0/12;
+        #allow 192.168.0.0/16;
+        #deny all;
+
         include /config/nginx/proxy.conf;
         include /config/nginx/resolver.conf;
         set $upstream_app vaultwarden;
diff --git a/vaultwarden.subfolder.conf.sample b/vaultwarden.subfolder.conf.sample
index 2bba167..f97dc89 100644
--- a/vaultwarden.subfolder.conf.sample
+++ b/vaultwarden.subfolder.conf.sample
@@ -49,6 +49,13 @@ location ~  ^(/vaultwarden)?/admin {
     # enable for Authentik (requires authentik-server.conf in the server block)
     #include /config/nginx/authentik-location.conf;
 
+    # if you enable admin page via ADMIN_TOKEN env variable
+    # consider restricting access to LAN only via uncommenting the following lines
+    #allow 10.0.0.0/8;
+    #allow 172.16.0.0/12;
+    #allow 192.168.0.0/16;
+    #deny all;
+
     include /config/nginx/proxy.conf;
     include /config/nginx/resolver.conf;
     set $upstream_app vaultwarden;