diff --git a/.env.template b/.env.template
index ca6962b4..7fcbbfcb 100644
--- a/.env.template
+++ b/.env.template
@@ -268,6 +268,17 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
+## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
+# LOGIN_RATELIMIT_SECONDS=60
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
+## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
+# LOGIN_RATELIMIT_MAX_BURST=10
+
+## Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in.
+# ADMIN_RATELIMIT_SECONDS=300
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
+# ADMIN_RATELIMIT_MAX_BURST=3
+
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
diff --git a/src/config.rs b/src/config.rs
index 7312a6c2..5bbe8575 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -512,12 +512,12 @@ make_config! {
         /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
         allowed_iframe_ancestors: String, true, def,    String::new();
 
-        /// Seconds between login requests |> Number of seconds, on average, between login requests before rate limiting kicks in. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2
+        /// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in
         login_ratelimit_seconds:       u64, false, def, 60;
-        /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`
+        /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2
         login_ratelimit_max_burst:     u32, false, def, 10;
 
-        /// Seconds between admin requests |> Number of seconds, on average, between admin requests before rate limiting kicks in
+        /// Seconds between admin requests |> Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in
         admin_ratelimit_seconds:       u64, false, def, 300;
         /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `admin_ratelimit_seconds`
         admin_ratelimit_max_burst:     u32, false, def, 3;