diff --git a/content/waf/configure/apreload.md b/content/waf/configure/apreload.md
index 81f4670f5..7f6dfe1f7 100644
--- a/content/waf/configure/apreload.md
+++ b/content/waf/configure/apreload.md
@@ -1,8 +1,8 @@
 ---
 # We use sentence case and present imperative tone
-title: "Use apreload to apply configuration updates"
+title: "Apply security policy updates without reloading NGINX using apreload"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 200
+weight: 100
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/compiler.md b/content/waf/configure/compiler.md
index 2b609b586..7c5a56252 100644
--- a/content/waf/configure/compiler.md
+++ b/content/waf/configure/compiler.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Build and use the compiler tool"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 300
+weight: 200
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/converters.md b/content/waf/configure/converters.md
index 2b180499a..5d265b701 100644
--- a/content/waf/configure/converters.md
+++ b/content/waf/configure/converters.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Build and use the converter tools"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 400
+weight: 300
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/kubernetes-read-only.md b/content/waf/configure/kubernetes-read-only.md
index 4ba13c4ec..50d8b6bd9 100644
--- a/content/waf/configure/kubernetes-read-only.md
+++ b/content/waf/configure/kubernetes-read-only.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Add a read-only filesystem for Kubernetes  "
 # Weights are assigned in increments of 100: determines sorting order
-weight: 700
+weight: 600
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/nginx-features.md b/content/waf/configure/nginx-features.md
index 60e763138..ba1a5012c 100644
--- a/content/waf/configure/nginx-features.md
+++ b/content/waf/configure/nginx-features.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Configure NGINX features with F5 WAF"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 100
+weight: 700
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
@@ -11,289 +11,199 @@ nd-content-type: reference
 # Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
 nd-product: NAP-WAF
 ---
-
-This document shows example of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
+This document shows examples of how to modify your NGINX configuration to enable F5 WAF for NGINX features. 
 
 It is intended as a reference for small, self-contained examples of how F5 WAF for NGINX can be configured. 
 
-Modules requiring the _Range_ header (Such as _Slice_) are unsupported in a scope which enables F5 WAF for NGINX. The examples below work around the contraints of these modules.
-
-For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
+Important constraints when F5 WAF for NGINX is enabled:
 
-## Internal subrequests
+- Subrequest-based modules (modules that generate internal HTTP subrequests) are not supported when F5 WAF for NGINX (app_protect_enable) is applied to the same scope. As an alternative, it is recommended to enable F5 WAF for NGINX at an additional scope. In this configuration, F5 WAF for NGINX inspects only direct, client-facing HTTP requests, while internal subrequests fall outside that scope and are not inspected.
+- Modules that require the HTTP Range header are not supported in the same configuration scope as **app_protect_enable on**. Place Range-dependent configuration in a server or location block without F5 WAF for NGINX enabled.
 
-F5 WAF for NGINX will secure and inspect direct client-facing requests, but will not inspect internal subrequests triggered by modules.
+For additional information on configuring NGINX, you should view the [NGINX documentation]({{< ref "/nginx/" >}}).
 
-This applies to:
+## Subrequest-based modules
 
-* Client authorization (auth_request)
-* Mirror (mirror)
-* SSI (virtual include)
-* njs (r.subrequest)
+F5 WAF for NGINX inspects direct client-facing requests, but does not inspect internal subrequests generated by subrequest-based modules. 
 
-The following example demonstrates the general rule:
+Examples of subrequest-based modules:
 
-{{< tabs name="subrequest-example" >}}
+* Slice  
+* Mirror 
+* Client authorization
+* njs 
 
-{{% tab name="nginx.js" %}}
+### Slice module example
 
 ```nginx
-user nginx;
-worker_processes  4;
-#daemon off;
-
 load_module modules/ngx_http_app_protect_module.so;
-load_module modules/ngx_http_js_module.so;
-
-error_log /var/log/nginx/error.log warn;
-
-events {
-    worker_connections  65536;
-}
 
 http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-    sendfile        on;
-    keepalive_timeout  65;
-    js_import main from example.js;
-
     server {
-        listen       80;
-        server_name  localhost;
-        proxy_http_version 1.1;
-        app_protect_enable on;
+        listen 127.0.0.1:8080;
+        server_name localhost;
 
         location / {
-            proxy_pass    http://127.0.0.1:8080/foo/$request_uri;
+            app_protect_enable on;
+            proxy_pass        http://127.0.0.1:8081$request_uri;
         }
     }
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
-        proxy_http_version 1.1;
 
-        location /foo {
-            js_content main.fetch_subrequest;
-        }
+    server {
+        listen 127.0.0.1:8081;
+        server_name localhost;
 
         location / {
-            internal;
-            return 200  "Hello! I got your URI request - $request_uri\n";
+            proxy_pass        http://1.2.3.4$request_uri;
+            slice 2;
+            proxy_set_header Range $slice_range;
         }
     }
 }
 ```
 
-{{% /tab %}}
-
-{{% tab name="example.js" %}}
-
-```js
-async function fetch_subrequest(r) {
-    let reply = await r.subrequest('/<script>');
-    let response = {
-        uri: reply.uri,
-        code: reply.status,
-        body: reply.responseText,
-    };
-    r.return(200, JSON.stringify(response));
-}
-
-export default {join};
-```
-
-{{% /tab %}}
-
-{{< /tabs >}}
-
-If the njs handler triggers an internal subrequest to `/<script>`, it is not inspected by F5 WAF for NGINX and succeeds: 
-
-```shell
-curl "localhost/"  
-```
-
-```text
-{"uri":"/<script>","code":200,"body":"Hello! I got your URI request - /foo//\n"}
-
-```
-
-However, if a direct, client-facing request attempts to trigger the same URL, it is inspected by F5 WAF for NGINX and is blocked according to the security policy.
-
-```shell
-curl "localhost/<script>"
-```
-
-```text
-<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.
-
-Your support ID is: 123456789
-
-<a href='javascript:history.back();'>[Go Back]</a></body></html>
-```
-
-## Static location
+### Mirror module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
 
 http {
+    log_format test $uri;
+
     server {
         listen       127.0.0.1:8080;
         server_name  localhost;
 
         location / {
             app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8080/proxy/$request_uri;
+            mirror /mirror;
         }
 
-        location /proxy {
-            default_type text/html;
-            return 200 "Hello! I got your URI request - $request_uri\n";
+        location /mirror {
+            log_subrequest on;
+            access_log test$args.log test;
         }
     }
 }
 ```
 
-## Range
+### Client authorization module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
 
 http {
-
     server {
         listen       127.0.0.1:8080;
         server_name  localhost;
 
         location / {
-            app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
+            auth_request /scan;
+            proxy_pass        http://localhost:8888;
         }
+        location /scan {
+            proxy_pass        http://localhost:8081$request_uri;
+       }
     }
 
     server {
         listen       127.0.0.1:8081;
         server_name  localhost;
 
-        location / {
-            proxy_pass http://1.2.3.4$request_uri;
-            proxy_force_ranges on;
+        location /scan {
+            app_protect_enable on;
+            proxy_pass        http://localhost:8888;
         }
     }
 }
 ```
 
-## Slice
+### njs module example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_js_module.so;
 
 http {
+    js_include service.js
+
     server {
-        listen 127.0.0.1:8080;
-        server_name localhost;
+        listen       127.0.0.1:8080;
+        server_name  localhost;
 
         location / {
             app_protect_enable on;
-            proxy_pass http://127.0.0.1:8081$request_uri;
+            proxy_pass        http://127.0.0.1:8081$request_uri;
         }
     }
 
     server {
-        listen 127.0.0.1:8081;
-        server_name localhost;
+        listen       127.0.0.1:8081;
+        server_name  localhost;
 
         location / {
-            proxy_pass http://1.2.3.4$request_uri;
-            slice 2;
-            proxy_set_header Range $slice_range;
+            js_content foo;
         }
     }
 }
 ```
 
-## Mirror
+## Range header–dependent modules
 
-```nginx
-load_module modules/ngx_http_app_protect_module.so;
+Features that add or depend on the HTTP Range header are unsupported in the same scope as __app_protect_enable on__. Place Range-dependent logic in a separate scope that does not enable F5 WAF for NGINX, and have the F5 WAF for NGINX enable frontend proxy to that backend.
 
-http {
-    log_format test $uri;
+Examples of Range-dependent features:
 
-    server {
-        listen       127.0.0.1:8080;
-        server_name  localhost;
+- Static location
+- Range
 
-        location / {
-            app_protect_enable on;
-            mirror /mirror;
-        }
-
-        location /mirror {
-            log_subrequest on;
-            access_log test$args.log test;
-        }
-    }
-}
-```
-
-## njs
+### Static location example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
-load_module modules/ngx_http_js_module.so;
 
 http {
-    js_include service.js
-
     server {
         listen       127.0.0.1:8080;
         server_name  localhost;
 
         location / {
             app_protect_enable on;
-            proxy_pass    http://127.0.0.1:8081$request_uri;
+            proxy_pass        http://127.0.0.1:8080/proxy/$request_uri;
         }
-    }
-
-    server {
-        listen       127.0.0.1:8081;
-        server_name  localhost;
 
-        location / {
-            js_content foo;
+        location /proxy {
+            default_type text/html;
+            return 200 "Hello! I got your URI request - $request_uri\n";
         }
     }
 }
 ```
 
-## Client authorization
+### Range example
 
 ```nginx
 load_module modules/ngx_http_app_protect_module.so;
 
 http {
+
     server {
         listen       127.0.0.1:8080;
         server_name  localhost;
 
         location / {
-            auth_request /scan;
-            proxy_pass http://localhost:8888;
+            app_protect_enable on;
+            proxy_pass         http://127.0.0.1:8081$request_uri;
         }
-        location /scan {
-            proxy_pass http://localhost:8081$request_uri;
-       }
     }
 
     server {
         listen       127.0.0.1:8081;
         server_name  localhost;
 
-        location /scan {
-            app_protect_enable on;
-            proxy_pass http://localhost:8888;
+        location / {
+            proxy_pass         http://1.2.3.4$request_uri;
+            proxy_force_ranges on;
         }
     }
 }
diff --git a/content/waf/configure/secure-mtls.md b/content/waf/configure/secure-mtls.md
index bf8d42ce0..9b0c37da0 100644
--- a/content/waf/configure/secure-mtls.md
+++ b/content/waf/configure/secure-mtls.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Secure traffic using mTLS"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 600
+weight: 500
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
diff --git a/content/waf/configure/selinux.md b/content/waf/configure/selinux.md
index 776928985..38ed6897e 100644
--- a/content/waf/configure/selinux.md
+++ b/content/waf/configure/selinux.md
@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Configure SELinux"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 500
+weight: 400
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this