diff --git a/docs/content/middlewares/http/buffering.md b/docs/content/middlewares/http/buffering.md
index 56e88514b..47c7d3022 100644
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -331,3 +331,7 @@ The retry expression is defined as a logical combination of the functions below
 - `Attempts()` number of attempts (the first one counts)
 - `ResponseCode()` response code of the service
 - `IsNetworkError()` whether the response code is related to networking error
+
+### Content-Length
+
+See [Best Practices: Content‑Length](../../security/best-practices/content-length.md)
\ No newline at end of file
diff --git a/docs/content/security/best-practices/content-length.md b/docs/content/security/best-practices/content-length.md
new file mode 100644
index 000000000..e09c62b6d
--- /dev/null
+++ b/docs/content/security/best-practices/content-length.md
@@ -0,0 +1,24 @@
+---
+title: "Content-Length"
+description: "Enforce strict Content‑Length validation in Traefik by streaming or full buffering to prevent truncated or over‑long requests and responses. Read the technical documentation."
+---
+
+Traefik acts as a streaming proxy. By default, it checks each chunk of data against the `Content-Length` header as it passes it on to the backend or client. This live check blocks truncated or over‑long streams without holding the entire message.
+
+If you need Traefik to read and verify the full body before any data moves on, add the [buffering middleware](../../reference/routing-configuration/http/middlewares/buffering.md):
+
+```yaml
+http:
+  middlewares:
+    buffer-and-validate:
+      buffering: {}
+```
+
+With buffering enabled, Traefik will:
+
+- Read the entire request or response into memory.
+- Compare the actual byte count to the `Content-Length` header.
+- Reject the message if the counts do not match.
+
+!!!warning 
+    Buffering adds overhead. Every request and response is held in full before forwarding, which can increase memory use and latency. Use it when strict content validation is critical to your security posture.
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 677244561..f6ac2d1d7 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -165,6 +165,10 @@ nav:
           - 'Instana': 'observability/tracing/instana.md'
           - 'Haystack': 'observability/tracing/haystack.md'
           - 'Elastic': 'observability/tracing/elastic.md'
+          - 'OpenTelemetry': 'observability/tracing/opentelemetry.md'
+  - 'Security':
+    - 'Best Practices': 
+          - 'security/best-practices/content-length.md'
   - 'User Guides':
       - 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md'
       - 'gRPC Examples': 'user-guides/grpc.md'