diff --git a/config-templates/config.php b/config-templates/config.php
index 7a8db7ff23f2c676950249d0c53633bfd48e5795..622ae0950bcca51ea021047c39408e4f10ca517b 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -834,6 +834,6 @@ $config = array(
      * Example:
      *   'trusted.url.domains' => array('sp.example.com', 'app.example.com'),
      */
-    'trusted.url.domains' => null,
+    'trusted.url.domains' => array(),
 
 );
diff --git a/docs/simplesamlphp-upgrade-notes-1.14.txt b/docs/simplesamlphp-upgrade-notes-1.14.txt
index 4f49395d4c54e748cbfc743d55c64b45cb1978cf..6278a7e2e73b81ac14b5ec5f52f61058e589fc7b 100644
--- a/docs/simplesamlphp-upgrade-notes-1.14.txt
+++ b/docs/simplesamlphp-upgrade-notes-1.14.txt
@@ -179,3 +179,5 @@ The following modules will no longer be shipped with the next version of SimpleS
     * `openidProvider`
     * `saml2debug`
     * `themefeidernd`
+
+The default value for trusted.url.domains in the config template has been changed from NULL to an empty array(), this sets a higher grade of default security. Resetting to NULL will re-allow untrusted routing.