diff --git a/config/.env.example b/config/.env.example
index ceab39238..793f83b10 100644
--- a/config/.env.example
+++ b/config/.env.example
@@ -20,7 +20,7 @@ export APP_DEFAULT_LOCALE="en_US"
 export APP_DEFAULT_TIMEZONE="UTC"
 # SECURITY: Set this to your domain to prevent Host Header Injection attacks
 # This is REQUIRED in production for password resets and other security features
-export APP_FULL_BASE_URL="https://yourdomain.com"
+export APP_FULL_BASE_URL="https://example.com"
 export SECURITY_SALT="__SALT__"
 
 # Uncomment these to define cache configuration via environment variables.
diff --git a/config/app.php b/config/app.php
index 81d15e18b..9876cf421 100644
--- a/config/app.php
+++ b/config/app.php
@@ -40,7 +40,7 @@
      *   IMPORTANT: This MUST be set in production to prevent Host Header Injection attacks
      *   that can compromise password reset and other security-critical features.
      *   Set this via APP_FULL_BASE_URL environment variable or directly in config.
-     *   Example: 'https://yourdomain.com'
+     *   Example: 'https://example.com'
      *   When not set, the application will throw an exception in production mode.
      * - imageBaseUrl - Web path to the public images/ directory under webroot.
      * - cssBaseUrl - Web path to the public css/ directory under webroot.
diff --git a/config/bootstrap.php b/config/bootstrap.php
index ce293268b..9bb6ca0d9 100644
--- a/config/bootstrap.php
+++ b/config/bootstrap.php
@@ -156,7 +156,7 @@
  * Set APP_FULL_BASE_URL in your environment variables or configure App.fullBaseUrl
  * in config/app.php or config/app_local.php
  *
- * Example: APP_FULL_BASE_URL=https://yourdomain.com
+ * Example: APP_FULL_BASE_URL=https://example.com
  */
 $fullBaseUrl = Configure::read('App.fullBaseUrl');
 if (!$fullBaseUrl) {