--- a/mod_http_oauth2/README.markdown	Tue Nov 14 23:03:37 2023 +0100
+++ b/mod_http_oauth2/README.markdown	Tue Nov 14 23:19:19 2023 +0100
@@ -224,10 +224,10 @@
 ```
 
 The [Proof Key for Code Exchange][RFC 7636] mitigation method is
-optional by default but can be made required:
+required by default but can be made optional:
 
 ```lua
-oauth2_require_code_challenge = true -- default is false
+oauth2_require_code_challenge = false -- default is true
 ```
 
 Further, individual challenge methods can be enabled or disabled:
@@ -235,7 +235,7 @@
 ```lua
 -- These reflects the default
 allowed_oauth2_code_challenge_methods = {
-    "plain"; -- the insecure one
+    -- "plain"; -- insecure but backwards-compatible
     "S256";
 }
 ```