diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index eadc1c0d96..9643e396b6 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1400,6 +1400,7 @@ PATH =
 ;; Built-in: loopback (for localhost), private (for LAN/intranet), external (for public hosts on internet), * (for all hosts)
 ;; CIDR list: 1.2.3.0/8, 2001:db8::/32
 ;; Wildcard hosts: *.mydomain.com, 192.168.100.*
+;; Since 1.15.7. Default to * for 1.15.x, external for 1.16 and later
 ;ALLOWED_HOST_LIST = external
 ;;
 ;; Allow insecure certification
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 6cc6043cae..3b5d9213df 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -581,7 +581,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 
 - `QUEUE_LENGTH`: **1000**: Hook task queue length. Use caution when editing this value.
 - `DELIVER_TIMEOUT`: **5**: Delivery timeout (sec) for shooting webhooks.
-- `ALLOWED_HOST_LIST`: **external**: Webhook can only call allowed hosts for security reasons. Comma separated list.
+- `ALLOWED_HOST_LIST`: **external**: Since 1.15.7. Default to `*` for 1.15.x, `external` for 1.16 and later. Webhook can only call allowed hosts for security reasons. Comma separated list.
   - Built-in networks:
     - `loopback`: 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
     - `private`: RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.