diff --git a/app/_data/docs_nav_mesh_2.6.x.yml b/app/_data/docs_nav_mesh_2.6.x.yml
index 8a14bfbb3997..174840203752 100644
--- a/app/_data/docs_nav_mesh_2.6.x.yml
+++ b/app/_data/docs_nav_mesh_2.6.x.yml
@@ -54,6 +54,11 @@ inherit:
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: delete
       entries: [ Kuma API access control ]
+    - path: [ Kong Mesh in Production, Secure your deployment ]
+      action: insert
+      index: 0
+      text: Security recommendations
+      url: /production/cp-deployment/security-recommendations
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: insert
       index: -1
diff --git a/app/_data/docs_nav_mesh_2.7.x.yml b/app/_data/docs_nav_mesh_2.7.x.yml
index 93adda11d5d4..a1482d0e8219 100644
--- a/app/_data/docs_nav_mesh_2.7.x.yml
+++ b/app/_data/docs_nav_mesh_2.7.x.yml
@@ -59,6 +59,11 @@ inherit:
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: delete
       entries: [ Kuma API access control ]
+    - path: [ Kong Mesh in Production, Secure your deployment ]
+      action: insert
+      index: 0
+      text: Security recommendations
+      url: /production/cp-deployment/security-recommendations
     - path: [ Kong Mesh in Production, Secure your deployment ]
       action: insert
       index: -1
diff --git a/app/_src/mesh/production/cp-deployment/security-recommendations.md b/app/_src/mesh/production/cp-deployment/security-recommendations.md
new file mode 100644
index 000000000000..abf94b2f168d
--- /dev/null
+++ b/app/_src/mesh/production/cp-deployment/security-recommendations.md
@@ -0,0 +1,22 @@
+---
+title: Security Recommendations
+---
+
+{{site.mesh_product_name}} is designed to be secure by default. However, there are additional steps you can take to further secure your deployment.
+For a strongly secure and high-availability deployment checkout [Mesh in Konnect](/konnect/mesh-manager/).
+
+## Control Plane
+
+### Access Control
+
+For usability, {{site.mesh_product_name}} control plane API is open by default.
+To restrict access to entities and features of the control plane, you can configure [access control policies](/mesh/{{page.release}}/features/rbac/). 
+
+### KDS Authentication
+
+In multi-zone deployments, you can enable [KDS authentication](/mesh/{{page.release}}/features/kds-auth/) to secure the communication between the global and zone control planes.
+
+### CORS
+
+By default CORS setup in {{site.mesh_product_name}} is allowing any origin.
+You can configure it by setting the [control-plane config](/mesh/{{page.release}}/documentation/configuration): `KUMA_API_SERVER_CORS_ALLOWED_DOMAINS` to a list of domains that are allowed to access the control plane API.