diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index 9a6851d1884..e8ffb614b4c 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4715,7 +4715,7 @@ <h2 id="AuthenticationPolicy">AuthenticationPolicy</h2>
 <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <section>
 <p>ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-header is handled by the gateway proxy.
+header is handled by a proxy.
 See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails">Envoy XFCC</a>
 header handling for more details.</p>
 
@@ -4737,7 +4737,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <tr id="ForwardClientCertDetails-SANITIZE">
 <td><code>SANITIZE</code></td>
 <td>
-<p>Do not send the XFCC header to the next hop. This is the default value.</p>
+<p>Do not send the XFCC header to the next hop.</p>
 
 </td>
 </tr>
@@ -4753,7 +4753,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <td><code>APPEND_FORWARD</code></td>
 <td>
 <p>When the client connection is mTLS, append the client certificate
-information to the request’s XFCC header and forward it.</p>
+information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.</p>
 
 </td>
 </tr>
@@ -4761,7 +4761,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <td><code>SANITIZE_SET</code></td>
 <td>
 <p>When the client connection is mTLS, reset the XFCC header with the client
-certificate information and send it to the next hop.</p>
+certificate information and send it to the next hop. This is the default value for gateway proxies.</p>
 
 </td>
 </tr>
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index f7d686ef3f5..a9f969ac1f0 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -95,7 +95,7 @@ func (AuthenticationPolicy) EnumDescriptor() ([]byte, []int) {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by a proxy.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 type ForwardClientCertDetails int32
@@ -103,16 +103,16 @@ type ForwardClientCertDetails int32
 const (
 	// Field is not set
 	ForwardClientCertDetails_UNDEFINED ForwardClientCertDetails = 0
-	// Do not send the XFCC header to the next hop. This is the default value.
+	// Do not send the XFCC header to the next hop.
 	ForwardClientCertDetails_SANITIZE ForwardClientCertDetails = 1
 	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
 	// in the request.
 	ForwardClientCertDetails_FORWARD_ONLY ForwardClientCertDetails = 2
 	// When the client connection is mTLS, append the client certificate
-	// information to the request’s XFCC header and forward it.
+	// information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
 	ForwardClientCertDetails_APPEND_FORWARD ForwardClientCertDetails = 3
 	// When the client connection is mTLS, reset the XFCC header with the client
-	// certificate information and send it to the next hop.
+	// certificate information and send it to the next hop. This is the default value for gateway proxies.
 	ForwardClientCertDetails_SANITIZE_SET ForwardClientCertDetails = 4
 	// Always forward the XFCC header in the request, regardless of whether the
 	// client connection is mTLS.
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index e1ec3e8b59d..091298d206e 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -273,14 +273,14 @@ message Topology {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by a proxy.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 enum ForwardClientCertDetails {
   // Field is not set
   UNDEFINED = 0;
 
-  // Do not send the XFCC header to the next hop. This is the default value.
+  // Do not send the XFCC header to the next hop.
   SANITIZE = 1;
 
   // When the client connection is mTLS (Mutual TLS), forward the XFCC header
@@ -288,11 +288,11 @@ enum ForwardClientCertDetails {
   FORWARD_ONLY = 2;
 
   // When the client connection is mTLS, append the client certificate
-  // information to the request’s XFCC header and forward it.
+  // information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
   APPEND_FORWARD = 3;
 
   // When the client connection is mTLS, reset the XFCC header with the client
-  // certificate information and send it to the next hop.
+  // certificate information and send it to the next hop. This is the default value for gateway proxies.
   SANITIZE_SET = 4;
 
   // Always forward the XFCC header in the request, regardless of whether the