From 9a08caea633084e05b52f478104d3b011e20b0f7 Mon Sep 17 00:00:00 2001
From: lichenblankie <server@derickphan.com>
Date: Fri, 5 Jun 2026 02:18:51 +0000
Subject: [PATCH] add Security section to README

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 40b519c..0f6e546 100644
--- a/README.md
+++ b/README.md
@@ -62,3 +62,10 @@ All moderation is local — you control your view:
 - Threads older than 30 days are auto-pruned (configurable on the moderation page)
 - Set retention to 0 to keep everything indefinitely
 - Forum DB is stored at `~/.tinyweb/forum.db`
+
+## Security
+
+- **No authentication** — The forum inherits TinyWeb's access model. Anyone who can reach the HTTP port (localhost by default) can post, edit, retract, block, and change moderation settings. See TinyWeb's Security section for details on `--bind 0.0.0.0`.
+- **Retractions are voluntary** — Retracting a thread or post sends a signal to peers, but any peer can ignore it and keep serving the content. "Retract" is a polite request, not a guaranteed delete.
+- **Block gossip can be gamed** — Auto-block triggers after 3 peer reports. On Reticulum this requires 3+ real instances to collude, which is impractical at mesh scale, but is not cryptographically enforced.
+- **No rate limiting** — Forum POST endpoints have no throttling. Low risk since the HTTP port is localhost-only by default.