diff --git a/README b/README
index 07d7430..887d138 100644
--- a/README
+++ b/README
@@ -110,8 +110,8 @@ The fields are as follows:
    files; by default, group files are treated as read-only;
 
  - `publicServer`: if true, then cross-origin access to the server is
-   allowed.  This is safe if the server is on the public Internet, but not
-   necessarily so if it is on a private network.
+   allowed.  This makes the server vulnerable to cross-origin scripting
+   attacks, but is necessary in some cases.
 
  - `proxyURL`: if running behind a reverse proxy, this specifies the root
    URL that will be visible outside the proxy.