diff --git a/doc/configuration.txt b/doc/configuration.txt
index ef0cf8ea2..8f58d40e2 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1950,7 +1950,9 @@ harden.reject-privileged-ports.tcp { on | off }
 harden.reject-privileged-ports.quic { on | off }
   Toggle per protocol protection which forbid communication with clients which
   use privileged ports as their source port. This range of ports is defined
-  according to RFC 6335. Protection is inactive by default on both protocols.
+  according to RFC 6335. By default, protection is active for QUIC protocol as
+  this behavior is suspicious and may be used as a spoofing or DNS/NTP
+  amplification attack.
 
 http-err-codes [+-]<range>[,...] [...]
   Replace, reduce or extend the list of status codes that define an error as
diff --git a/src/haproxy.c b/src/haproxy.c
index 30df816ff..c987fdbfa 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -210,8 +210,8 @@ struct global global = {
 	.maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
 #endif
-	/* by default do not protect against clients using privileged port */
-	.clt_privileged_ports = HA_PROTO_ANY,
+	/* by default allow clients which use a privileged port for TCP only */
+	.clt_privileged_ports = HA_PROTO_TCP,
 	/* others NULL OK */
 };