diff --git a/examples/get_cert.py b/examples/get_cert.py
index 883ab28..e790f42 100644
--- a/examples/get_cert.py
+++ b/examples/get_cert.py
@@ -42,12 +42,13 @@ def main():
         # Connection will be chosen automatically based on which arguments are passed.
         # If token is passed CyberArk Certificate Manager, SaaS connection will be used.
         # If user, password, and URL CyberArk Certificate Manager, Self-Hosted will be used.
-        conn = Connection(url=url, token=token, user=user, password=password,
-                          http_request_kwargs={'verify': False})
         # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
         # a trust bundle using requests vars:
+        conn = Connection(url=url, token=token, user=user, password=password,
+                         http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
         # conn = Connection(url=url, token=token, user=user, password=password,
-        #                  http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        #                   http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{randomword(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]
diff --git a/examples/ssh_certificates/get_cert_ssh.py b/examples/ssh_certificates/get_cert_ssh.py
index f9840c5..137f315 100644
--- a/examples/ssh_certificates/get_cert_ssh.py
+++ b/examples/ssh_certificates/get_cert_ssh.py
@@ -31,11 +31,12 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
     # If your CyberArk Certificate Manager, Self-Hosted server certificate is signed with your own CA, or available only via proxy,
     # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    connector = venafi_connection(url=url, user=user, password=password,
+                             http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)
diff --git a/examples/ssh_certificates/get_cert_ssh_service.py b/examples/ssh_certificates/get_cert_ssh_service.py
index 178afd0..8c9ec06 100644
--- a/examples/ssh_certificates/get_cert_ssh_service.py
+++ b/examples/ssh_certificates/get_cert_ssh_service.py
@@ -31,11 +31,12 @@ def main():
     user = environ.get('TPP_USER')
     password = environ.get('TPP_PASSWORD')
 
-    connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
     # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy,
     # you can specify a trust bundle using requests vars:
-    # connector = venafi_connection(url=url, api_key=api_key, access_token=access_token,
-    #                          http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    connector = venafi_connection(url=url, user=user, password=password,
+                             http_request_kwargs={"verify": "/path-to/bundle.pem"})
+    # Lab/testing only — DO NOT use in production:
+    # connector = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     # Create an Authentication object to request a token with the proper scope to manage SSH certificates
     auth = Authentication(user=user, password=password, scope=SCOPE_SSH)
diff --git a/examples/tpp/get_cert_tpp_token.py b/examples/tpp/get_cert_tpp_token.py
index 775eb37..4fd160d 100644
--- a/examples/tpp/get_cert_tpp_token.py
+++ b/examples/tpp/get_cert_tpp_token.py
@@ -41,11 +41,12 @@ def main():
         # If user and password are passed, you can get a new token from them.
         # If access_token and refresh_token are passed, there is no need for the username and password.
         # If only access_token is passed, the Connection will fail when token expires, as there is no way to refresh it.
-        conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
         # If your CyberArk Certificate Manager, Self-Hosted server certificate signed with your own CA, or available only via proxy, you can specify
         # a trust bundle using requests vars:
-        # conn = token_connection(url=url, user=user, password=password,
-        #                         http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        conn = venafi_connection(url=url, user=user, password=password,
+                                http_request_kwargs={"verify": "/path-to/bundle.pem"})
+        # Lab/testing only — DO NOT use in production:
+        # conn = venafi_connection(url=url, user=user, password=password, http_request_kwargs={'verify': False})
 
     request = CertificateRequest(common_name=f"{random_word(10)}.venafi.example.com")
     request.san_dns = ["www.client.venafi.example.com", "ww1.client.venafi.example.com"]
diff --git a/vcert/connection_cloud.py b/vcert/connection_cloud.py
index 6dc9267..cf91d80 100644
--- a/vcert/connection_cloud.py
+++ b/vcert/connection_cloud.py
@@ -155,6 +155,9 @@ def __init__(self, token, url=None, http_request_kwargs=None):
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __str__(self):
         return f"[Cloud] {self._base_url}"
 
diff --git a/vcert/connection_tpp.py b/vcert/connection_tpp.py
index d710f6e..d976180 100644
--- a/vcert/connection_tpp.py
+++ b/vcert/connection_tpp.py
@@ -46,6 +46,9 @@ def __init__(self, user, password, url, http_request_kwargs=None):
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs or {}
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __setattr__(self, key, value):
         if key == '_base_url':
             value = self._normalize_and_verify_base_url(value)
diff --git a/vcert/connection_tpp_token.py b/vcert/connection_tpp_token.py
index 1a02cb0..414b8cb 100644
--- a/vcert/connection_tpp_token.py
+++ b/vcert/connection_tpp_token.py
@@ -52,6 +52,9 @@ def __init__(self, url, user=None, password=None, access_token=None, refresh_tok
             http_request_kwargs['timeout'] = 180
         self._http_request_kwargs = http_request_kwargs or {}
 
+        if self._http_request_kwargs.get('verify') is False:
+            log.warning("TLS certificate verification is DISABLED; credentials and private keys will be transmitted over unverified connections. This configuration is only appropriate for isolated test environments.")
+
     def __setattr__(self, key, value):
         if key == '_base_url':
             value = self._normalize_and_verify_base_url(value)