diff --git a/changelog.d/13656.doc b/changelog.d/13656.doc
new file mode 100644
index 0000000000000000000000000000000000000000..61013a0daf3e135c16519445d9e422a51b4b338a
--- /dev/null
+++ b/changelog.d/13656.doc
@@ -0,0 +1 @@
+Clarify documentation that HTTP replication traffic can be protected with a shared secret.
diff --git a/docs/workers.md b/docs/workers.md
index 6969c424d8cdec4628e11596698c1ea8577fc1bb..dce584972dce8b67b35e560f12f9433a76a797b6 100644
--- a/docs/workers.md
+++ b/docs/workers.md
@@ -120,7 +120,10 @@ redis:
 See the sample config for the full documentation of each option.
 
 Under **no circumstances** should the replication listener be exposed to the
-public internet; it has no authentication and is unencrypted.
+public internet; replication traffic is:
+
+* always unencrypted
+* unauthenticated, unless `worker_replication_secret` is configured
 
 
 ### Worker configuration