Security implications of #66

[luckydonald]

With #66 merged, I still have a few points I think we still need to address, and at least document:

I think for security reasons this one would be a quite high priority to solve:

• How can the configuration of that be turned off for the public instances we host?

Additionally it would make sense to write

• A section about proxy support, listing the available methods in the README.

Would be nice for those not looking at the changelog too closely.