Docs: add security section

[AgnesToulet]

This is a start, I don't know if this is what you had in mind when you wrote #388

Closes #388

[joanlopez]

It looks like a great start, few things I'm wondering if would make sense to add are:

• Give few more details about the reasons why to set this up, like "otherwise something like this could happen", and refer the security incident.
• Perhaps mentioning that it's configured to - by default, so it's:
  • Not safe, because any potential attacker would start with - as secret token.
  • Therefore, it must be replaced.
  • But, if you get started, you'll notice that it requires a secret token to authorize rendering requests.

[joanlopez]

Indeed, by looking at the code that checks for the token (for instance, changes here), it seems it always checks for equality and empty string is not considered a valid (incoming) auth token. Therefore, perhaps we may need to slightly change the wording to say this is mandatory, at least with the default value -, which we strongly recommend to modify.

WDYT?

[joanlopez]

Hi @AgnesToulet, is there anything else missing?
Honestly, if we don't have any clear idea to add more details, I'd merge it as-is (better to have at least something), and perhaps iterate it later, if needed.

[AgnesToulet]

Sorry I missed your review on this. I updated the README according to your feedback, thanks!

[joanlopez]

Sorry I missed your review on this. I updated the README according to your feedback, thanks!

Don't worry at all! Looks great! :)