@itemize
-@item Effective responses proxying, without storing them in the memory first.
+@item
+@strong{Effective} responses proxying, without storing them in the memory first.
-@item TLS connection between client and @command{tofuproxy} has the
- proper hostname set in ephemeral on-the-fly generated certificate.
+@item
+TLS connection between client and @command{tofuproxy} has the
+@strong{proper hostname} set in ephemeral on-the-fly generated
+certificate.
-@item @code{HEAD} method is forbidden, as Xombrero loves it too much and
- it does not send User-Agent to differentiate it from others.
+@item
+@code{HEAD} method is forbidden.
-@item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
+@item
+@code{www.reddit.com} is redirected to @code{old.reddit.com}.
-@item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images
- are redirected to their full size variants.
+@item
+@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
+redirected to their full size variants.
-@item Various spying domains (advertisement, tracking counters) are denied.
+@item
+Various @strong{spying} domains (advertisement, tracking counters) are denied.
-@item Web fonts downloads are forbidden.
+@item
+Web @strong{fonts} downloads are forbidden.
-@item Permanent HTTP redirects are replaced with HTML page with the link.
+@item
+@strong{Permanent} HTTP @strong{redirects} are replaced with HTML page
+with the link.
-@item Temporary HTTP redirects are replaced with HTML too, if it is
- neither @url{https://newsboat.org/, Newsboat} nor image paths.
+@item
+@strong{Temporary} HTTP @strong{redirects} are replaced with HTML too,
+if it is neither @url{https://newsboat.org/, Newsboat} nor image paths.
-@item WebP images, if it is not Xombrero, is transcoded to PNG.
+@item
+@strong{WebP} images, if it is not Xombrero, is transcoded to PNG.
-@item JPEG XL and AVIF images are transparently transcoded to PNG too.
+@item
+@strong{JPEG XL} and @strong{AVIF} images are transparently transcoded
+to PNG too.
-@item Default Go's checks are applied to all certificates. If they pass,
- then certificate chain is saved on the disk. Future connections are
- compared against it, warning you about SPKI change and waiting for
- your decision either to accept new chain (possibly once per
- session), or reject it.
+@item
+Default Go's checks are applied to all certificates. If they pass, then
+certificate chain is saved on the disk (@strong{TOFU}). Future
+connections are compared against it, warning you about SPKI change
+(@strong{SPKI pinning}) and waiting for your decision either to accept
+new chain (possibly once per session), or reject it.
-@item Even when native Go's checks are failed, you can still make a
- decision to forcefully trust the domain.
+@item
+Even when native Go's checks are failed, you can still make a decision
+to forcefully trust the domain.
-@item HTTP-based unauthorized responses are intercepted and
- user/password input dialog is shown. It automatically loads initial
- form values from @file{.netrc}.
+@item
+@strong{HTTP-based authorization} requests are intercepted and
+user/password input dialogue is shown. It automatically loads
+@strong{initial form} values from @file{.netrc}.
-@item Optionally DANE-EE check is also made for each domain you visit.
+@item
+TLS @strong{client certificates} supported: separate dialogue window for
+certificate choice.
-@item TLS session resumption and keep-alives are also supported.
+@item
+Optional @strong{DANE-EE} check is also made for each domain you visit.
-@item And Go itself tries also to act as a
-@url{https://http2.github.io/, HTTP/2} client too.
+@item
+TLS @strong{session resumption} and @strong{keep-alives} are also supported.
+
+@item
+And Go itself tries also to act as a @url{https://http2.github.io/,
+HTTP/2} client too.
@end itemize