chore: update docs and logs to be more concise on security risks (googleapis#3125)

Update docs and logs to be more clear on security risks.

Related: googleapis#3113

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: Yuan325

.hugo/layouts/shortcodes/production-security-warning.html

@@ -1,6 +1,13 @@
 <div class="td-sidebar-link td-sidebar-link__page alert alert-warning shadow-sm" role="alert">
     <h4 class="alert-heading">⚠️ Production Security Warning</h4>
-    <p><strong>Secure your deployment:</strong> By default, Toolbox allows all hosts (<code>--allowed-hosts</code>) and all origins (<code>--allowed-origins</code>). While convenient for local development, this is <strong>insecure for production</strong>.</p>
+    <p><strong>Secure your deployment:</strong> By default, Toolbox uses HTTP
+    and runs on all hosts (<code>--allowed-hosts</code>) and all origins
+    (<code>--allowed-origins</code>). While convenient, this is
+    <strong>insecure</strong> and could expose you to unauthorized access of
+    your toolbox instances. Please review the example under reference/cli to
+    secure your instances.</p>
+
+    <p class="mt-3 mb-0 small opacity-75">Note: The server issues a warning in the logs if these are set to the wildcard <code>*</code>.</p>
 
     <hr>
 
@@ -13,7 +20,9 @@ <h4 class="alert-heading">⚠️ Production Security Warning</h4>
             <strong>Implement CORS:</strong> Use the <code>--allowed-origins</code> flag to specify a list of origins permitted to access the server.
             <div class="mt-1"><small><em>Example:</em></small> <code>command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-origins", "https://foo.bar"]</code></div>
         </li>
+        <li>
+            <strong>Enable HTTPS:</strong> Use the <code>--tls-cert</code> and <code>--tls-key</code> flags to secure your connection.
+            <div class="mt-1"><small><em>Example:</em></small> <code>command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--tls-cert", "cert.pem", "--tls-key", "key.pem"]</code></div>
+        </li>
     </ul>
-
-    <p class="mt-3 mb-0 small opacity-75">Note: The server issues a warning in the logs if these are set to the wildcard <code>*</code>.</p>
 </div>

docs/en/documentation/deploy-to/_index.md

@@ -23,3 +23,5 @@ secret manager.
 To enable HTTPS, you must provide a valid pair of `--tls-cert` and `--tls-key`
 files; specifying only one will cause the server to fail at startup.
 {{< /notice >}}
+
+{{< production-security-warning >}}

internal/server/server.go

@@ -392,7 +392,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 
 	// cors
 	if slices.Contains(cfg.AllowedOrigins, "*") {
-		s.logger.WarnContext(ctx, "wildcard (`*`) allows all origin to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-origins` flag")
+		s.logger.WarnContext(ctx, "wildcard (*) allows any website to access the resources. This creates a security risk regardless of whether you are in a production or local development environment. Recommended to use --allowed-origins with specific local addresses.")
 	}
 	corsOpts := cors.Options{
 		AllowedOrigins:   cfg.AllowedOrigins,
@@ -405,7 +405,7 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 	r.Use(cors.Handler(corsOpts))
 	// validate hosts for DNS rebinding attacks
 	if slices.Contains(cfg.AllowedHosts, "*") {
-		s.logger.WarnContext(ctx, "wildcard (`*`) allows all hosts to access the resource and is not secure. Use it with cautious for public, non-sensitive data, or during local development. Recommended to use `--allowed-hosts` flag to prevent DNS rebinding attacks")
+		s.logger.WarnContext(ctx, "wildcard (*) hosts allow any domain to access this resource, making it vulnerable to DNS rebinding attacks regardless of whether you are in a production or local development environment. For improved security, use the --allowed-hosts flag to specify trusted domains.")
 	}
 	allowedHostsMap := make(map[string]struct{}, len(cfg.AllowedHosts))
 	for _, h := range cfg.AllowedHosts {