diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 8051653ee..92004b823 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -22,6 +22,7 @@ import (
 	"log"
 	"net/http"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"
 
@@ -259,7 +260,17 @@ func (t *TLS) Start() error {
 	if t.Automation.OnDemand == nil ||
 		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
 		for _, ap := range t.Automation.Policies {
-			if ap.OnDemand {
+			isWildcardOrDefault := false
+			if len(ap.Subjects) == 0 {
+				isWildcardOrDefault = true
+			}
+			for _, sub := range ap.Subjects {
+				if strings.HasPrefix(sub, "*") {
+					isWildcardOrDefault = true
+					break
+				}
+			}
+			if ap.OnDemand && isWildcardOrDefault {
 				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
 					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
 				break