diff --git a/NEWS.md b/NEWS.md
index ddbe7a3..3bb9b84 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -8,6 +8,8 @@ See the changelog for a full list of changes.
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANGAER_CONTROLLER_CMD` you might need to adapt your configuration.
 The old name will be available until version 3.0.
 
+Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](github.com/certtools/intelmq/issues/111)).
+
 2.1.0 (2019-10-15)
 ------------------
 The environment variable name was corrected from `INTELMQ_MANGER_CONTROLER_CMD` to `INTELMQ_MANGER_CONTROLLER_CMD` you might need to adapt your configuration.
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 2f9712b..85849d0 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -143,6 +143,8 @@ The way the current version is written, anyone can send a POST request and chang
 
 Therefore you will need authentication and SSL.
 
+Use IntelMQ Manager only from a browser that can only access internal, trusted sites. (Because CSRF development is under way, see [#111](https://github.com/certtools/intelmq-manager/issues/111)).
+
 In addition, intelmq currently stores plaintext passwords in its configuration files. These can be read via intelmq-manager.
 
 **Never ever allow unencrypted, unauthenticated access to intelmq-manager**.