diff --git a/Allowing-Vaultwarden-to-Fetch-Icons-from-Internal-Services.md b/Allowing-Vaultwarden-to-Fetch-Icons-from-Internal-Services.md
new file mode 100644
index 0000000..ce689e6
--- /dev/null
+++ b/Allowing-Vaultwarden-to-Fetch-Icons-from-Internal-Services.md
@@ -0,0 +1,78 @@
+# Allowing Vaultwarden to Fetch Icons from Internal Services
+
+This configuration applies to self-hosted environments where Vaultwarden needs to fetch icons from services hosted on internal/private networks, for example:
+
+- A NAS or server hosting multiple self-hosted applications
+- Services accessed through a local network
+- Services exposed only through VPNs such as Tailscale
+- Reverse proxy setups using internal IPs or split DNS
+
+By default, Vaultwarden blocks requests to non-global/private IP addresses as a security measure. Because of this, icons may fail to load for services that resolve to:
+
+- LAN IPs (`192.168.x.x`, `10.x.x.x`, etc.)
+- Tailscale/CGNAT ranges (`100.x.x.x`)
+- Other internal-only addresses
+
+## Configuration
+
+Set the following environment variable:
+
+```env
+HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=false
+```
+
+Depending on the Vaultwarden version, you may also need to set:
+
+```env
+ICON_BLACKLIST_NON_GLOBAL_IPS=false
+```
+
+However, `ICON_BLACKLIST_NON_GLOBAL_IPS` is deprecated and newer versions use `HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS`.
+
+Then restart/redeploy Vaultwarden.
+
+## TrueNAS SCALE Important Note
+
+When running Vaultwarden as a TrueNAS SCALE App, setting the environment variable alone may not be enough.
+
+TrueNAS can override some Vaultwarden settings internally through the application configuration interface.
+
+You must also:
+
+1. Open the Vaultwarden Admin Panel
+2. Go to `Advanced Settings`
+3. Locate `Block non global IPs`
+4. Set it to `false` / disabled
+5. Save and restart the app
+
+If this setting remains enabled, Vaultwarden will continue blocking icon downloads from internal IP ranges even if the environment variable is already present.
+
+## Security Considerations
+
+Disabling `HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS` reduces protection against SSRF (Server-Side Request Forgery) attacks.
+
+With this setting disabled, Vaultwarden is allowed to make HTTP requests to internal/private IP ranges. This is required for environments where self-hosted services are intentionally exposed only through internal networking, VPNs, or private DNS.
+
+Only disable this setting if:
+
+- You trust the users who can create/edit vault entries
+- Your Vaultwarden instance is private and properly secured
+- You understand that Vaultwarden will be able to access internal network resources
+
+For most self-hosted homelab or internal infrastructure setups, this tradeoff is acceptable and required for proper icon fetching functionality.
+
+## Symptoms
+
+Vaultwarden logs may contain warnings similar to:
+
+```text
+IP 100.x.x.x for domain 'service.example.com' is not a global IP!
+```
+
+or:
+
+```text
+IP 192.168.x.x for domain 'service.example.com' is not a global IP!
+```
+
+After disabling the restriction, icons for internal/self-hosted services should begin working normally.
\ No newline at end of file