diff --git a/app/src/config/constants/compatibility.js b/app/src/config/constants/compatibility.js
index 75e1414f6b..78aafaa4dd 100644
--- a/app/src/config/constants/compatibility.js
+++ b/app/src/config/constants/compatibility.js
@@ -246,6 +246,12 @@ export const FEATURE_COMPATIBLE_VERSION = {
     [GLOBAL_CONSTANTS.APP_MODES.DESKTOP]: "26.2.19",
     [GLOBAL_CONSTANTS.APP_MODES.EXTENSION]: "0.0.0",
   },
+  // RQ-2425: the "Allow insecure SSL" toggle needs the desktop user-preference
+  // + proxy support shipping in 26.6.22, so older desktops never render it.
+  [FEATURES.ALLOW_INSECURE_SSL]: {
+    [GLOBAL_CONSTANTS.APP_MODES.DESKTOP]: "26.6.22",
+    [GLOBAL_CONSTANTS.APP_MODES.EXTENSION]: null,
+  },
   [FEATURES.SECRETS_MANAGER]: {
     [GLOBAL_CONSTANTS.APP_MODES.DESKTOP]: "26.3.19",
     [GLOBAL_CONSTANTS.APP_MODES.EXTENSION]: null,
diff --git a/app/src/config/constants/sub/features.js b/app/src/config/constants/sub/features.js
index 58aab1e910..c98d9e4a5b 100644
--- a/app/src/config/constants/sub/features.js
+++ b/app/src/config/constants/sub/features.js
@@ -112,5 +112,6 @@ FEATURES.API_CLIENT_RECORDS_REORDERING = "api_client_records_reordering";
 FEATURES.ONBOARDING_V2 = "onboarding_v2";
 FEATURES.DESKTOP_BETA_PREVIEW_URL_CONFIGURATION = "desktop_beta_preview_url_configuration";
 FEATURES.SECRETS_MANAGER = "secrets_manager";
+FEATURES.ALLOW_INSECURE_SSL = "allow_insecure_ssl";
 
 export default FEATURES;
diff --git a/app/src/features/settings/components/DesktopSettings/InsecureCerts/index.tsx b/app/src/features/settings/components/DesktopSettings/InsecureCerts/index.tsx
new file mode 100644
index 0000000000..43543e821b
--- /dev/null
+++ b/app/src/features/settings/components/DesktopSettings/InsecureCerts/index.tsx
@@ -0,0 +1,58 @@
+import React, { useEffect, useState } from "react";
+import { Col, Row, Switch } from "antd";
+import { toast } from "utils/Toast";
+
+const GET_ACTION = "USER_PREFERENCE:GET_ALLOW_INSECURE_CERTS";
+const SET_ACTION = "USER_PREFERENCE:UPDATE_ALLOW_INSECURE_CERTS";
+
+function storageAction(type: string, data?: any): Promise<any> {
+  return window?.RQ?.DESKTOP?.SERVICES?.IPC?.invokeEventInMain("rq-storage:storage-action", {
+    type,
+    payload: data !== undefined ? { data } : {},
+  });
+}
+
+/**
+ * RQ-2425: desktop-only toggle that controls whether the proxy verifies upstream
+ * TLS certificates. Off (verify) by default. Persisted in the desktop
+ * user-preference store and applied live on the running proxy (no restart).
+ */
+const InsecureCerts: React.FC = () => {
+  const [enabled, setEnabled] = useState(false);
+  const [loading, setLoading] = useState(false);
+
+  useEffect(() => {
+    storageAction(GET_ACTION)
+      ?.then((res: boolean) => setEnabled(!!res))
+      .catch(() => {});
+  }, []);
+
+  const onToggle = async (checked: boolean) => {
+    setLoading(true);
+    try {
+      await storageAction(SET_ACTION, { allowInsecureCerts: checked });
+      setEnabled(checked);
+      toast.success(checked ? "Insecure SSL certificates allowed." : "Upstream TLS verification re-enabled.");
+    } catch (e) {
+      toast.error("Failed to update setting");
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <Row align="middle" className="w-full mt-16 setting-item-container">
+      <Col span={22}>
+        <div className="title">Allow insecure SSL in proxy interceptor</div>
+        <p className="setting-item-caption">
+          Skip TLS certificate verification for upstream servers. Enable only for hosts you trust.
+        </p>
+      </Col>
+      <Col span={2} className="text-right">
+        <Switch checked={enabled} loading={loading} onChange={onToggle} />
+      </Col>
+    </Row>
+  );
+};
+
+export default InsecureCerts;
diff --git a/app/src/features/settings/components/DesktopSettings/index.jsx b/app/src/features/settings/components/DesktopSettings/index.jsx
index 13084e6e8d..39ee5c0d79 100644
--- a/app/src/features/settings/components/DesktopSettings/index.jsx
+++ b/app/src/features/settings/components/DesktopSettings/index.jsx
@@ -19,6 +19,7 @@ import { trackSettingsToggled } from "modules/analytics/events/misc/settings";
 import { RQButton } from "lib/design-system/components";
 import "./DesktopSettings.css";
 import LocalLogFile from "./LocalLogFile";
+import InsecureCerts from "./InsecureCerts";
 
 export const DesktopSettings = () => {
   const appMode = useSelector(getAppMode);
@@ -236,6 +237,7 @@ export const DesktopSettings = () => {
             </Row>
           </>
         ) : null}
+        {isFeatureCompatible(FEATURES.ALLOW_INSECURE_SSL) && <InsecureCerts />}
         <LocalLogFile />
       </div>
     </div>
diff --git a/documentation/docs.json b/documentation/docs.json
index 5891b9efa0..9c32bc2c78 100644
--- a/documentation/docs.json
+++ b/documentation/docs.json
@@ -49,7 +49,8 @@
                   "interceptor/desktop-app/browser-interception",
                   "interceptor/desktop-app/desktop-app-interception",
                   "interceptor/desktop-app/network-table",
-                  "interceptor/desktop-app/saving-logs-to-local-file"
+                  "interceptor/desktop-app/saving-logs-to-local-file",
+                  "interceptor/desktop-app/allow-insecure-ssl"
                 ]
               },
               {
diff --git a/documentation/images/allow-insecure-ssl/desktop-settings-toggle.png b/documentation/images/allow-insecure-ssl/desktop-settings-toggle.png
new file mode 100644
index 0000000000..6d828406cf
Binary files /dev/null and b/documentation/images/allow-insecure-ssl/desktop-settings-toggle.png differ
diff --git a/documentation/images/allow-insecure-ssl/ssl-error-page.png b/documentation/images/allow-insecure-ssl/ssl-error-page.png
new file mode 100644
index 0000000000..06f07aa27e
Binary files /dev/null and b/documentation/images/allow-insecure-ssl/ssl-error-page.png differ
diff --git a/documentation/interceptor/desktop-app/allow-insecure-ssl.mdx b/documentation/interceptor/desktop-app/allow-insecure-ssl.mdx
new file mode 100644
index 0000000000..2d9fd08670
--- /dev/null
+++ b/documentation/interceptor/desktop-app/allow-insecure-ssl.mdx
@@ -0,0 +1,39 @@
+---
+title: "Allow Insecure SSL"
+slug: "allow-insecure-ssl"
+path: "/http-interceptor/desktop-app/allow-insecure-ssl"
+visibility: "PUBLIC"
+format: "MDX"
+---
+
+When Requestly intercepts HTTPS traffic, it connects to the destination website on your behalf. By default it **verifies the website's TLS certificate**, just like a browser does, and refuses to connect when the certificate is expired, self-signed, or issued by an untrusted authority.
+
+Sometimes you need to intercept traffic to such a site anyway — for example a local development server, a staging environment, or an internal service that uses a self-signed certificate. For these cases you can turn off certificate verification.
+
+## Enabling the setting
+
+Open settings from the icon on the top right and, under `Desktop Settings`, turn on **Allow insecure SSL in proxy interceptor**.
+
+<img src="/images/allow-insecure-ssl/desktop-settings-toggle.png" align="center" fullwidth="false" />
+
+<Warning>
+  While this is on, Requestly accepts certificates from every site you intercept. Turn it on only for hosts you trust, and turn it off again when you're done.
+</Warning>
+
+## What you'll see when it's off
+
+This setting is **off by default** so that interception stays secure. When it is off and a site's certificate can't be verified, Requestly shows an error page that names the reason instead of loading the page:
+
+<img src="/images/allow-insecure-ssl/ssl-error-page.png" align="center" fullwidth="false" />
+
+| You'll see | It usually means |
+| --- | --- |
+| `ERR_CERT_DATE_INVALID` | The certificate is expired or not yet valid |
+| `ERR_CERT_AUTHORITY_INVALID` | The certificate is self-signed or from an untrusted authority |
+| `ERR_CERT_COMMON_NAME_INVALID` | The certificate doesn't match the site's address |
+
+If you trust the site, turn on **Allow insecure SSL in proxy interceptor** and reload.
+
+<Tip>
+  Leave this off for normal browsing so that certificate problems on real sites are still caught. Turn it on only for the sites you're actively debugging.
+</Tip>
diff --git a/documentation/troubleshoot/http-interceptor/troubleshooting-untrusted-ssl-certificate.mdx b/documentation/troubleshoot/http-interceptor/troubleshooting-untrusted-ssl-certificate.mdx
index c324feda29..a5a88261ff 100644
--- a/documentation/troubleshoot/http-interceptor/troubleshooting-untrusted-ssl-certificate.mdx
+++ b/documentation/troubleshoot/http-interceptor/troubleshooting-untrusted-ssl-certificate.mdx
@@ -61,3 +61,9 @@ For Requestly Interceptor to intercept HTTPS traffic, you need to install Reques
 ### **Check your Firewall**
 
 Check if you are using any Firewall software like Sophos. Firewalls generally block web proxies for security reasons and mistake Requestly Interceptor as a web proxy but Requestly Interceptor only runs on yourlocal device. Sending them an email will get Requestly Interceptor unblocked for you.
+
+### **The destination site's own certificate can't be verified**
+
+The `RQProxyCA` certificate above is what your browser uses to trust Requestly. Separately, Requestly verifies the **destination server's** TLS certificate when it forwards your request. If that certificate is expired, self-signed, or issued by an untrusted authority, Requestly shows an SSL error page (for example `ERR_CERT_DATE_INVALID` or `ERR_CERT_AUTHORITY_INVALID`) instead of letting the request through.
+
+If you trust the host, you can turn off upstream certificate verification — see [Allow Insecure SSL](/interceptor/desktop-app/allow-insecure-ssl).