diff --git a/aspnetcore/blazor/fundamentals/configuration.md b/aspnetcore/blazor/fundamentals/configuration.md
index 7e0915ca7f..747f9a7623 100644
--- a/aspnetcore/blazor/fundamentals/configuration.md
+++ b/aspnetcore/blazor/fundamentals/configuration.md
@@ -61,7 +61,7 @@ Other configuration providers registered by the app can also provide configurati
 For more information on configuration providers, see <xref:fundamentals/configuration/index>.
 
 > [!WARNING]
-> Configuration and settings files are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in the app's configuration or files.**
+> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
 
 ## App settings configuration
 
@@ -112,7 +112,7 @@ Inject an <xref:Microsoft.Extensions.Configuration.IConfiguration> instance into
 Client security restrictions prevent direct access to files via user code, including settings files for app configuration. To read configuration files in addition to `appsettings.json`/`appsettings.{ENVIRONMENT}.json` from the `wwwroot` folder into configuration, use an <xref:System.Net.Http.HttpClient>.
 
 > [!WARNING]
-> Configuration and settings files are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in the app's configuration or files.**
+> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
 
 The following example reads a configuration file (`cars.json`) into the app's configuration.
 
@@ -225,7 +225,7 @@ Obtain a section of the configuration in C# code with <xref:Microsoft.Extensions
 
 ## Authentication configuration
 
-Provide authentication configuration in an app settings file.
+Provide ***public*** authentication configuration in an app settings file.
 
 `wwwroot/appsettings.json`:
 
@@ -245,6 +245,9 @@ builder.Services.AddOidcAuthentication(options =>
     builder.Configuration.Bind("Local", options.ProviderOptions));
 ```
 
+> [!WARNING]
+> Configuration and settings files in the web root (`wwwroot` folder) are visible to users on the client, and users can tamper with the data. **Don't store app secrets, credentials, or any other sensitive data in any web root file.**
+
 ## Logging configuration
 
 *This section applies to apps that configure logging via an app settings file in the `wwwroot` folder.*