diff --git a/website/source/docs/agent/encryption.html.markdown b/website/source/docs/agent/encryption.html.markdown
index 76624e0be..36db8ad0a 100644
--- a/website/source/docs/agent/encryption.html.markdown
+++ b/website/source/docs/agent/encryption.html.markdown
@@ -64,7 +64,8 @@ using OpenSSL. Note: client certificates must have
 for client and server authentication.
 
 TLS can be used to verify the authenticity of the servers or verify the authenticity of clients.
-These modes are controlled by the [`verify_outgoing`](/docs/agent/options.html#verify_outgoing)
+These modes are controlled by the [`verify_outgoing`](/docs/agent/options.html#verify_outgoing),
+[`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname),
 and [`verify_incoming`](/docs/agent/options.html#verify_incoming) options, respectively.
 
 If [`verify_outgoing`](/docs/agent/options.html#verify_outgoing) is set, agents verify the
@@ -74,6 +75,14 @@ by the certificate authority present on all agents, set via the agent's
 appropriate key pair set using [`cert_file`](/docs/agent/options.html#cert_file) and
 [`key_file`](/docs/agent/options.html#key_file).
 
+If [`verify_server_hostname`](/docs/agent/options.html#verify_server_hostname) is set, then
+outgoing connections perform hostname verification. All servers must have a certificate
+valid for "server.\<datacenter\>.\<domain\>" or the client will reject the handshake. This is
+a new configuration as of 0.5.1, and it is used to prevent a compromised client from being
+able to restart in server mode and perform a MITM attack. New deployments should set this
+to true, and generate the proper certificates, but this is defaulted to false to avoid breaking
+existing deployments.
+
 If [`verify_incoming`](/docs/agent/options.html#verify_incoming) is set, the servers verify the
 authenticity of all incoming connections. All clients must have a valid key pair set using
 [`cert_file`](/docs/agent/options.html#cert_file) and
diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown
index 0487b6f72..7e8cdda1f 100644
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@@ -584,6 +584,14 @@ definitions support being updated during a reload.
   will not make use of TLS for outgoing connections. This applies to clients and servers
   as both will make outgoing connections.
 
+* <a name="verify_server_hostname"></a><a href="#verify_server_hostname">`verify_server_hostname`</a> - If set to
+  true, Consul verifies for all outgoing connections that the TLS certificate presented by the servers
+  matches "server.<datacenter>.<domain>" hostname. This implies `verify_outgoing`.
+  By default, this is false, and Consul does not verify the hostname of the certificate, only
+  that it is signed by a trusted CA. This setting is important to prevent a compromised
+  client from being restarted as a server, and thus being able to perform a MITM attack
+  or to be added as a Raft peer. This is new in 0.5.1.
+
 * <a name="watches"></a><a href="#watches">`watches`</a> - Watches is a list of watch
   specifications which allow an external process to be automatically invoked when a
   particular data view is updated. See the