updates

README.md

@@ -51,6 +51,25 @@ than what makes sense to show in a minimal snippet.
 * [commandline (standalone with "webroot")](https://github.com/Daplie/node-letsencrypt/blob/master/examples/commandline.js)
 * [expressjs (fully automatic https)](https://github.com/Daplie/node-letsencrypt/blob/master/examples/express.js)
 
+### non-root
+
+If you want to run this as non-root, you can.
+
+You just have to set node to be allowed to use root ports
+
+```
+# node
+sudo setcap cap_net_bind_service=+ep /usr/local/bin/node
+```
+
+and then make sure to set all of of the following to a directory that your user is permitted to write to
+
+* `webrootPath`
+* `configDir`
+* `workDir` (python backend only)
+* `logsDir` (python backend only)
+
+
 See Also
 ========
 

index.js

@@ -95,6 +95,18 @@ LE.create = function (backend, defaults, handlers) {
         return;
       }
 
+      //
+      // IMPORTANT
+      //
+      // Before attempting a dynamic registration you need to validate that
+      //
+      //   * these are hostnames that you expected to exist on the system
+      //   * their A records currently point to this ip
+      //   * this system's ip hasn't changed
+      //
+      //  If you do not check these things, then someone could attack you
+      //  and cause you, in return, to have your ip be rate-limit blocked
+      //
       console.warn("[SECURITY WARNING]: node-letsencrypt: validate(hostnames, cb) NOT IMPLEMENTED");
       cb(null, true);
     }