Yes, those stylebooks should be applicable to 14.1 as well. Just to clarify on the protecting apps behind the VPN, that would be true for https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/secure-private-access-on-premises.html? Yes, you're absolutely correct. Be it a published app or an internal private app, you can use WAF today to secure them by binding AppFw policies to the VPN server.