Merge pull request #177 from ntodd/patch-3

Correct Security documentation
pouchdb-community · Feb 24, 2017 · 36a1b5d · 36a1b5d
2 parents 25aae20 + 47345d8
commit 36a1b5d
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -401,16 +401,16 @@ If you want to go completely [offline-first](http://offlinefirst.org/), you'll a
 
 An easy way to secure your Ember Pouch-using app is to ensure that data can only be fetched from CouchDB &ndash; not from some other server (e.g. in an [XSS attack](https://en.wikipedia.org/wiki/Cross-site_scripting)).
 
-To do so, add a Content Security Policy whitelist entry to `/config/environment.js`:
+You can use the [content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy) plugin to enable Content Security Policy in Ember CLI. You also will have to set the CSP HTTP header on your backend in production.
+
+To use, add a Content Security Policy whitelist entry to `/config/environment.js`:
 
 ```js
 ENV.contentSecurityPolicy = {
   "connect-src": "'self' http://your_couch_host.com:5984"
 };
 ```
 
-Ember CLI includes the [content-security-policy](https://github.com/rwjblue/ember-cli-content-security-policy) plugin by default to ensure that CSP is kept in the forefront of your thoughts. You still have actually to set the CSP HTTP header on your backend in production.
-
 ### CORS setup (important!)
 
 To automatically set up your remote CouchDB to use CORS, you can use the plugin [add-cors-to-couchdb](https://github.com/pouchdb/add-cors-to-couchdb):