From 5fc75ef877a30417a9b51686a74aa4197e176e28 Mon Sep 17 00:00:00 2001
From: Bolke de Bruin <bolke@xs4all.nl>
Date: Sat, 25 Jul 2020 19:57:27 +0200
Subject: [PATCH] More security documentation

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index e0c388d..d1c2040 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,14 @@ RDPGW provides multi factor authentication out of the box with OpenID Connect in
 you can integrate your remote desktops with Keycloak, Okta, Google, Azure, Apple or Facebook 
 if you want. 
 
+## Security
+RDPGW wants to be secure when you set it up from the beginning. It does this by having OpenID
+Connect integration enabled by default. Cookies are encrypted and signed on the client side relying
+on [Gorilla Sessions](https://www.gorillatoolkit.org/pkg/sessions). PAA tokens (gateway access tokens)
+are generated and signed according to the JWT spec by using [jwt-go](https://github.com/dgrijalva/jwt-go)
+signed with a 512 bit HMAC. Hosts provided by the user are verified against what was provided by
+the server.
+
 ## How to build
 ```bash
 cd rdpgw
-- 
GitLab