From 2ce4602808c66828474a4d96a90d7995db84fe4a Mon Sep 17 00:00:00 2001
From: Ferry Boender <ferry.boender@gmail.com>
Date: Fri, 24 Apr 2015 19:59:00 +0200
Subject: [PATCH] Security documentation.

---
 doc/MANUAL.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index dad78cf..7a9ca5e 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -31,7 +31,7 @@ This is the manual for version %%VERSION%%.
     - [Passwords](#users_passwords)
     - [Form limiting](#users_formlimit)
     - [Security considerations](#users_security)
-1. [Troubleshooting](#troubleshooting)
+1. [Security](#security)
 
 ## <a name="invocations">Invocations</a>
 
@@ -484,3 +484,22 @@ For an example, see the (beginning of this chapter)[#users].
   you wish to prevent this, you should put Scriptform behind a proxy that
   *does* support Scriptform, such as Apache. For more information on that, see
   the "Invocations" chapter.
+
+## <a name="security">Security</a>
+
+There are a few security issues to take into consideration when deploying Scriptform:
+
+- You should limit harmful forms to specific users. See the [Users](#users)
+  chapter for more information.
+
+- User passwords have no salt. This makes them slightly easier to bruteforce
+  en-mass.
+
+- Scriptform does not natively support secure HTTPS connections. This means
+  usernames and passwords are transmitted over the line in nearly plaintext. If
+  you wish to prevent this, you should put Scriptform behind a proxy that
+  *does* support Scriptform, such as Apache. For more information on that, see
+  the "Invocations" chapter.
+
+- Scriptform logs the invocation of scripts and variables to the log file for
+  auditing purposes.