diff --git a/monitoring/mtls-bridge/app.py b/monitoring/mtls-bridge/app.py
index 2524700..9c0dfdf 100644
--- a/monitoring/mtls-bridge/app.py
+++ b/monitoring/mtls-bridge/app.py
@@ -23,6 +23,86 @@ UPSTREAM_CA_CERT = os.environ.get("UPSTREAM_CA_CERT", os.environ.get("CA_CERT",
 CA_CERT = UPSTREAM_CA_CERT
 TIMEOUT = int(os.environ.get("TIMEOUT", "5"))
 
+logger.info(
+    "mtls-bridge starting target_url=%s timeout=%ss cert=%s key=%s ca=%s log_level=%s",
+    TARGET_URL,
+    TIMEOUT,
+    CLIENT_CERT,
+    CLIENT_KEY,
+    CA_CERT,
+    os.environ.get("LOG_LEVEL", "INFO"),
+)
+
+
+def get_verify_setting():
+    if not UPSTREAM_CA_CERT:
+        return True
+
+    lowered = UPSTREAM_CA_CERT.lower()
+    if lowered in {"false", "0", "no"}:
+        logger.warning("TLS verification for upstream is disabled via UPSTREAM_CA_CERT=%s", UPSTREAM_CA_CERT)
+        return False
+
+    if not os.path.exists(UPSTREAM_CA_CERT):
+        logger.warning(
+            "Configured UPSTREAM_CA_CERT path does not exist: %s (falling back to system CA bundle)",
+            UPSTREAM_CA_CERT,
+        )
+        return True
+
+    return UPSTREAM_CA_CERT
+
+
+VERIFY_SETTING = get_verify_setting()
+
+logger.info(
+    "mtls-bridge starting target_url=%s timeout=%ss cert=%s key=%s verify=%s log_level=%s",
+    TARGET_URL,
+    TIMEOUT,
+    CLIENT_CERT,
+    CLIENT_KEY,
+    VERIFY_SETTING,
+    os.environ.get("LOG_LEVEL", "INFO"),
+)
+
+
+def get_verify_setting():
+    if not UPSTREAM_CA_CERT:
+        return True
+
+    lowered = UPSTREAM_CA_CERT.lower()
+    if lowered in {"false", "0", "no"}:
+        logger.warning("TLS verification for upstream is disabled via UPSTREAM_CA_CERT=%s", UPSTREAM_CA_CERT)
+        return False
+
+    if not os.path.exists(UPSTREAM_CA_CERT):
+        logger.warning(
+            "Configured UPSTREAM_CA_CERT path does not exist: %s (falling back to system CA bundle)",
+            UPSTREAM_CA_CERT,
+        )
+        return True
+
+    return UPSTREAM_CA_CERT
+
+
+VERIFY_SETTING = get_verify_setting()
+
+logger.info(
+    "mtls-bridge starting target_url=%s timeout=%ss cert=%s key=%s verify=%s log_level=%s",
+    TARGET_URL,
+    TIMEOUT,
+    CLIENT_CERT,
+    CLIENT_KEY,
+    VERIFY_SETTING,
+    os.environ.get("LOG_LEVEL", "INFO"),
+)
+
+if TARGET_URL and TARGET_URL.lower().startswith("http://"):
+    logger.warning(
+        "TARGET_URL uses http://; upstream may redirect to https:// and change request behavior: %s",
+        TARGET_URL,
+    )
+
 
 def get_verify_setting():
     if not UPSTREAM_CA_CERT: