diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index 1b39eb5..27c2127 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -127,7 +127,6 @@ Environment=PODMAN_RUNROOT=/run/user/%U/podman-run
 Environment=PODMAN_TMPDIR=/var/tmp/podman-%U/tmp
 Environment=XDG_DATA_HOME=/var/tmp/podman-%U/xdg-data
 Environment=XDG_CONFIG_HOME=/var/tmp/podman-%U/xdg-config
-StateDirectory=registry
 ExecStart=/usr/bin/podman --root=${PODMAN_ROOT} --runroot=${PODMAN_RUNROOT} --tmpdir=${PODMAN_TMPDIR} --events-backend=file \
   run --rm --name registry \
   -p 127.0.0.1:5000:5000 \
@@ -368,6 +367,10 @@ sudo ufw allow from 192.168.0.0/16 to any port 4443 proto tcp
 # For public access to 4443 (less secure), use:
 # sudo ufw allow 4443/tcp
 
+# Optional: Consider SystemCallFilter for additional hardening
+# (validate exact syscall set for your distro's nginx build)
+# SystemCallFilter=@system-service
+
 # Note: Port 5000 is NOT opened - registry runs loopback-only
 
 ## Client Trust Configuration
@@ -376,19 +379,21 @@ For clients to trust your registry certificates, they should install the server
 
 **For pulls (port 443):**
 ```bash
-# On client systems
-sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS
-sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS/ca.crt
+# On client systems - use the actual FQDN/IP from your certificates
+sudo mkdir -p /etc/containers/certs.d/REGISTRY_HOST
+sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/REGISTRY_HOST/ca.crt
 ```
 
 **For pushes (port 4443, mTLS):**
 ```bash
-# On client systems
-sudo mkdir -p /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443
-sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/ca.crt
-sudo cp /path/to/client.crt /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.cert
-sudo cp /path/to/client.key /etc/containers/certs.d/YOUR_ACTUAL_IP_ADDRESS:4443/client.key
+# On client systems - use the actual FQDN/IP from your certificates
+sudo mkdir -p /etc/containers/certs.d/REGISTRY_HOST:4443
+sudo cp /path/to/registry-ca.crt /etc/containers/certs.d/REGISTRY_HOST:4443/ca.crt
+sudo cp /path/to/client.crt /etc/containers/certs.d/REGISTRY_HOST:4443/client.cert
+sudo cp /path/to/client.key /etc/containers/certs.d/REGISTRY_HOST:4443/client.key
 ```
+
+**Note:** Replace `REGISTRY_HOST` with the actual FQDN or IP address that matches your certificate's Subject Alternative Name (SAN). For pushes, both the server CA certificate and client certificate/key are required for mTLS authentication.
 ```
 
 ### 4.2 Enable and Start Services