docs: add basic auth security notes

mamchurovskyy · mamchurovskyy · commit d2ee4d54b7c9 · 2026-02-26T14:38:11.000+02:00
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -24,6 +24,10 @@
 | BASIC_AUTH | `--basic-auth <username:password>` | Enable Basic Auth (username:password) | (empty) |
 | BASIC_AUTH_REALM | `--basic-auth-realm <string>` | Basic Auth realm name | `Restricted` |
 
+## Security Note
+
+When Basic Auth is enabled, always run behind HTTPS (or a TLS-terminating reverse proxy). Basic Auth over plain HTTP exposes credentials.
+
 ## Examples
 
 Enable Brotli:
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -34,6 +34,7 @@ services:
 - Use `--port` if you run the container on a non-default port.
 - Enable compression (`--brotli` or `--gzip`) when serving large static bundles.
 - For fixed asset paths (for example, a service worker), use `--ignore-cache-control-paths` to avoid CDN caching issues.
+- Add rate limiting at the reverse proxy (Traefik, Nginx, Cloudflare) to mitigate brute-force attempts.
 
 ## See Also
 
