From 5aaa3a8af7d366a5ce2e946d727412d2e575a926 Mon Sep 17 00:00:00 2001
From: rugk <rugk@posteo.de>
Date: Sat, 4 Jun 2016 18:14:43 +0200
Subject: [PATCH] Add note to remind user to protect the data dir

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 99f088c..5e08463 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ Afterwards copy all files in /dist folder to your werbserver.
 
 ### After installation
 
-* `data/` folder has to be writeable by web server.
+* `data/` folder has to be writeable by web server, but **must not** be accessible publicy. That means protect it in your webserver configuration!
 * HTTPS connection should be forced. You should consider using [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) (HSTS) and [HTTP Public Key Pinning](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning) (HPKP).
 * [Content-Security-Policy](http://content-security-policy.com/) (CSP) should be used. Default CSP headers are provided in `.htaccess` file but commented out.
 * Execute `php api/cron.php` on a regular basis to delete outdated polls. A cronjob running once a day should be fine.