diff --git a/README.md b/README.md
index 8db0326..2ba96d2 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,9 @@ You can generate a default `config.toml` with
 rustical gen-config
 ```
 
+> [!WARNING] > `rustical gen-config` generates a random `frontend.secret_key`.
+> This secret is used to generate session cookies so if it is leaked an attacker could use it to authenticate to against any endpoint (also when the frontend is disabled).
+
 You'll have to set your database path to something like `/var/lib/rustical/db.sqlite3`.
 There you also set your username, password, and app tokens.
 Password hashes can be generated with