From 4edba5d444ee9f27986cd80ab2aea72667101e34 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Tue, 21 Jan 2025 13:52:01 +0100
Subject: [PATCH] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 8db0326..2ba96d2 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,9 @@ You can generate a default `config.toml` with
 rustical gen-config
 ```
 
+> [!WARNING] > `rustical gen-config` generates a random `frontend.secret_key`.
+> This secret is used to generate session cookies so if it is leaked an attacker could use it to authenticate to against any endpoint (also when the frontend is disabled).
+
 You'll have to set your database path to something like `/var/lib/rustical/db.sqlite3`.
 There you also set your username, password, and app tokens.
 Password hashes can be generated with