diff --git a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
index 065b536d..aa7be64b 100644
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@@ -80,8 +80,8 @@ message ExtAuthz {
   //
   bool clear_route_cache = 6;
 
-  // Sets the HTTP status that is returned to the client when there is a network error between the
-  // filter and the authorization server. The default status is HTTP 403 Forbidden.
+  // Sets the HTTP status that is returned to the client when the authorization server returns an error
+  // or cannot be reached. The default status is HTTP 403 Forbidden.
   type.v3.HttpStatus status_on_error = 7;
 
   // Specifies a list of metadata namespaces whose values, if present, will be passed to the
@@ -125,6 +125,10 @@ message ExtAuthz {
   // typed_per_filter_config for the path, requests will not be denied.
   //
   // If this field is not specified, all requests will be allowed when disabled.
+  //
+  // If a request is denied due to this setting, the response code in :ref:`status_on_error
+  // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
+  // be returned.
   config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
 
   // Specifies if the peer certificate is sent to the external service.