diff --git a/monitoring/mtls-bridge/app.py b/monitoring/mtls-bridge/app.py
index 3cd33a9..9c0dfdf 100644
--- a/monitoring/mtls-bridge/app.py
+++ b/monitoring/mtls-bridge/app.py
@@ -19,6 +19,8 @@ TARGET_URL = os.environ.get("TARGET_URL")
 CLIENT_CERT = os.environ.get("CLIENT_CERT", "/certs/client.crt")
 CLIENT_KEY = os.environ.get("CLIENT_KEY", "/certs/client.key")
 UPSTREAM_CA_CERT = os.environ.get("UPSTREAM_CA_CERT", os.environ.get("CA_CERT", "")).strip()
+# Backward-compat alias: keep CA_CERT defined so legacy code paths/log statements don't crash.
+CA_CERT = UPSTREAM_CA_CERT
 TIMEOUT = int(os.environ.get("TIMEOUT", "5"))
 
 logger.info(
@@ -64,6 +66,44 @@ logger.info(
 )
 
 
+def get_verify_setting():
+    if not UPSTREAM_CA_CERT:
+        return True
+
+    lowered = UPSTREAM_CA_CERT.lower()
+    if lowered in {"false", "0", "no"}:
+        logger.warning("TLS verification for upstream is disabled via UPSTREAM_CA_CERT=%s", UPSTREAM_CA_CERT)
+        return False
+
+    if not os.path.exists(UPSTREAM_CA_CERT):
+        logger.warning(
+            "Configured UPSTREAM_CA_CERT path does not exist: %s (falling back to system CA bundle)",
+            UPSTREAM_CA_CERT,
+        )
+        return True
+
+    return UPSTREAM_CA_CERT
+
+
+VERIFY_SETTING = get_verify_setting()
+
+logger.info(
+    "mtls-bridge starting target_url=%s timeout=%ss cert=%s key=%s verify=%s log_level=%s",
+    TARGET_URL,
+    TIMEOUT,
+    CLIENT_CERT,
+    CLIENT_KEY,
+    VERIFY_SETTING,
+    os.environ.get("LOG_LEVEL", "INFO"),
+)
+
+if TARGET_URL and TARGET_URL.lower().startswith("http://"):
+    logger.warning(
+        "TARGET_URL uses http://; upstream may redirect to https:// and change request behavior: %s",
+        TARGET_URL,
+    )
+
+
 def get_verify_setting():
     if not UPSTREAM_CA_CERT:
         return True