diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 50f97dfcc9ef5ece39314803fa21f9575a3b69a4..39efdcb270333faf9c32eccbbe886e271da00461 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1717,6 +1717,14 @@ The role implements the following:
 
 The role is implemented with the following layout/logic in mind:
 
+* No plaintext HTTP is allowed, HTTPS is mandatory. Clients connecting
+  via plaintext HTTP are redirected to HTTPS.
+* Clients are served with ``Strict-Transport-Security`` header with
+  value of ``max-age=31536000; includeSubDomains``. This forces
+  compliant clients to always connect using HTTPS to the web server
+  when accessing its domain, as well as any subdomains served
+  by this web server or any other. The (client-side) cached header
+  value expires after one year.
 * Website users are named after the ``FQDN`` (fully qualified domain name) of
   website, in format of ``web-ESCAPEDFQDN``, where ``ESCAPEDFQDN`` is equal to
   ``FQDN`` where dots have been replaced by underscores (for example,
@@ -1779,12 +1787,6 @@ Parameters
   UID of the dedicated website administrator user. The user will be member of
   website group.
 
-**enforce_https** (boolean, optional, ``True``)
-  Specify if HTTPS should be enforced for the website or not. If enforced,
-  clients connecting via plaintext will be redirected to HTTPS, and clients will
-  be served with ``Strict-Transport-Security`` header with value of
-  ``max-age=31536000; includeSubDomains``.
-
 **environment_indicator** (dictionary, optional, ``null``)
   Specify configuration for including environment indicator on all HTML
   pages. Indicator is a simple strip at bottom of a page with custom background