diff --git a/README.md b/README.md
index 3056138..7ac5f3f 100644
--- a/README.md
+++ b/README.md
@@ -16,4 +16,59 @@ files:
 |----|-----------|
 |[application.properties](./web-container/src/main/resources/config/application.properties)|Main config file providing general app properties|
 |[shared-application.properties](./web-container-config/src/main/resources/config/shared-application.properties)|Properties shared by all apps|
-|[files-application.properties](./files/src/main/resources/config/files-application.properties)|Config file for the files app|
\ No newline at end of file
+|[files-application.properties](./files/src/main/resources/config/files-application.properties)|Config file for the files app|
+
+## Apache httpd config
+It is advised to not expose NoBullShit-cloud directly - instead a proxy server like Apache httpd should be used to shield access.
+The following config example can be used a blueprint:
+```
+# CSS, favicon and fonts need to be accesible without auth
+# for e.g. the password protected share feature
+# If the password protected share feature is not used
+# the locations can be ommitted to prevent an information leak
+# In fact, they can also be ommitted if the password protected
+# share feature _is_ used, but then the password entry page
+# will not be styled. Pick your poison.
+<Location /nbscloud/css>
+    ProxyPass http://localhost:PORT/nbscloud
+    ProxyPassReverse /nbscloud
+    allow from all
+    satisfy any
+</Location>
+
+
+<Location /nbscloud/favicon.ico>
+    ProxyPass http://localhost:PORT/nbscloud
+    ProxyPassReverse /nbscloud
+    allow from all
+    satisfy any
+</Location>
+
+<Location /nbscloud/font>
+    ProxyPass http://localhost:PORT/nbscloud
+    ProxyPassReverse /nbscloud
+    allow from all
+    satisfy any
+</Location>
+
+# If shares should not be accessible to unknown clients
+# this (and the Location directives above) can be ommitted
+<Location /nbscloud/files/shares>
+    ProxyPass http://localhost:PORT/nbscloud
+    ProxyPassReverse /nbscloud
+    allow from all
+    satisfy any
+</Location>
+
+<Location /nbscloud>
+    ProxyPass http://localhost:PORT/nbscloud
+    ProxyPassReverse /nbscloud
+    <RequireAll>
+        Require all granted
+        AuthName "YOUR AUTH"
+        AuthType Basic
+        AuthUserFile /var/www/html/.htpasswd
+        Require valid-user
+    </RequireAll>
+</Location>
+```
\ No newline at end of file
diff --git a/web-container/src/main/resources/static/changelog.txt b/web-container/src/main/resources/static/changelog.txt
index 2d070db..50aa1ce 100644
--- a/web-container/src/main/resources/static/changelog.txt
+++ b/web-container/src/main/resources/static/changelog.txt
@@ -1,5 +1,6 @@
 v19:
 - #22 Fix a bug with password protected shares
+- Add Apache httpd config example
 
 v18:
 - #22 Password protected shares