diff --git a/README.md b/README.md
index b9bc9581c665ce9f4cdbad3a154c1681d7ce05a1..07b6c14cff90d4d65de7457a56e2cdbc20007264 100644
--- a/README.md
+++ b/README.md
@@ -165,15 +165,42 @@ For easy deployment, we've created an official Docker container. There are two v
 
 The default one will run as `root`:
 
+> [!WARNING]
+> It is discouraged to use `latest` tag for WatchTower or similar tools. The `latest` tag can reference unreleased developer, test builds, and patch releases for older versions. Use an actual version tag until transfer.sh supports major or minor version tags.
+
 ```bash
 docker run --publish 8080:8080 dutchcoders/transfer.sh:latest --provider local --basedir /tmp/
 ```
 
+### No root
+
+The `-noroot` tags indicate image builds that run with least priviledge to reduce the attack surface might an application get compromised.
+> [!NOTE]
+> Using `-noroot` is **recommended**
+
 The one tagged with the suffix `-noroot` will use `5000` as both UID and GID:
 ```bash
 docker run --publish 8080:8080 dutchcoders/transfer.sh:latest-noroot --provider local --basedir /tmp/
 ```
 
+> [!NOTE]
+> Development history details at:
+> - https://github.com/dutchcoders/transfer.sh/pull/418
+
+### Tags
+
+Name | Usage
+--|--
+latest| Latest CI build, can be nightly, at commit, at tag, etc.
+latest-noroot| Latest CI build, can be nightly, at commit, at tag, etc. using [no root]
+nightly| Scheduled CI build every midnight UTC
+nightly-noroot| Scheduled CI build every midnight UTC using [no root]
+edge| Latest CI build after every commit on `main`
+edge-noroot| Latest CI build after every commit on `main` using [no root]
+x.y.z| CI build after tagging a release
+x.y.z-noroot| CI build after tagging a release using [no root]
+
+
 ### Building the Container
 You can also build the container yourself. This allows you to choose which UID/GID will be used, e.g. when using NFS mounts:
 ```bash