From de41aa4531df4515de93eba685cfeb03227a5d4e Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Sun, 22 Mar 2026 13:40:53 +0100
Subject: Add chmod 600 guidance for .env file in README

---
 README.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 9043f4b..b27e50f 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,12 @@ docker-compose up --build
 
 ## Environment variables
 
-Copy `.env.example` to `.env` and fill in the values:
+Copy `.env.example` to `.env` and fill in the values. Since it contains secrets (database passwords, app secret), restrict read access to your user only:
+
+```sh
+cp .env.example .env
+chmod 600 .env   # owner-only read/write — prevents other users on the host from reading secrets
+```
 
 | Variable | Purpose |
 |----------|---------|
-- 
cgit v1.2.3