diff --git a/README.md b/README.md
index 595b0cf5..7cf1401d 100644
--- a/README.md
+++ b/README.md
@@ -24,15 +24,23 @@ Fetch a minified build under [releases](https://github.com/openpgpjs/openpgpjs/r
 
 OpenPGP.js currently only fully supports browsers that implement `window.crypto.getRandomValues`. If you can help us support more browsers and runtimes, please chip in!
 
-### To build
+### Security recommendations
+
+It should be noted that browser based application, following a [**host-based security**](https://www.schneier.com/blog/archives/2012/08/cryptocat.html) model, provide users with less security than installable apps with auditable static versions. This can be achieved by deploying your HTML5 app as a [Firefox](https://developer.mozilla.org/en-US/Marketplace/Publishing/Packaged_apps) or [Chrome](http://developer.chrome.com/apps/about_apps.html) packaged app. These runtimes typically also enforce a strict [Content Security Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) to protect your users against [XSS](http://en.wikipedia.org/wiki/Cross-site_scripting). 
+
+This [blogpost](http://tonyarcieri.com/whats-wrong-with-webcrypto) explains the trust model of the web quite well.
+
+It is also recommended to set a strong passphrase that protects user's private key on disk.
+
+## Development
+
+You can create your own build in `dist/openpgp.min.js` to use in your project.
 
     npm install && grunt
 
-Then take `dist/openpgp.min.js` to use in your project.
-
 ### Run tests
 
-    npm install && npm test
+    npm test
 
 ### Documentation