diff --git a/doc/api/cli.md b/doc/api/cli.md
index 857f7de6ce7ca8..0551f7ebb88f8e 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -246,9 +246,10 @@ Binding the inspector to a public IP (including `0.0.0.0`) with an open port is
 insecure, as it allows external hosts to connect to the inspector and perform
 a [remote code execution][] attack.
 
-If you specify a host, make sure that at least one of the following is true:
-either the host is not public, or the port is properly firewalled to disallow
-unwanted connections.
+If specifying a host, make sure that either:
+
+* The host is not accessible from public networks.
+* A firewall disallows unwanted connections on the port.
 
 **More specifically, `--inspect=0.0.0.0` is insecure if the port (`9229` by
 default) is not firewall-protected.**