Updated Security (markdown)

Security.md

@@ -1 +1,19 @@
-todo
+WLED was designed in a way that you should be save to have a router port forwarding to control the system from the public internet. This page will tell you what you can expect by WLEDs security.
+
+### TLDR - what to do?
+
+A: If you just operate WLED within a local network and/or with a secured Access Point (change the default password "wled1234"!!) you are fine.
+
+If you have configured a port forwarding to control WLED from outside your locak subnet, please make sure the setting "OTA Lock" is enabled and you have changed the default OTA password "wledota"!
+
+### 1: Is the connection itself safe?
+
+A: Technically not. The ESP8266 uses unencrypted HTTP traffic. Implementing HTTPS would take to much processing power and memory on this little device. This means an attacker could read your passwords during transmit. Therefore, to be safe, please do NOT change the AP/Client WiFi/OTA password from outside of your LAN via a forwarded port. If you are at home, you should be safe if your WiFi is secured.
+
+### 2: What do you mean by secure then?
+
+A: WLED comes with the ability to carry out a software update via WiFi (OTA). However, no one must be able to flash a malicious new binary firmware to steal your WiFi credentials or make your ESP part of a botnet. Therefore, you should enable the "OTA Lock" setting and change its default passphrase "wledota".
+
+### 3: Can I protect the light configuration or the settings page?
+
+A: Currently not. This is not sensitive information like your WiFi password. Anyone with your IP and port can control the lights. Open an issue if it should ever happen that somebody plays with your lights. I might consider adding an optional password lock then. For now, it is way too cumbersome for what it does.