docs: add security warning (#615)

xi · web-flow · commit 14e731e89471 · 2024-01-09T16:47:09.000+03:00
diff --git a/README.md b/README.md
@@ -70,6 +70,10 @@ module.exports = {
 };
 ```
 
+## Security Warning
+
+This loader is primarily meant for development. The default settings are not safe for production environments. See the [recommended example configuration](#recommended) and the section on [nonces](#nonce) for details.
+
 ## Options
 
 - [**`injectType`**](#injecttype)
@@ -964,6 +968,8 @@ module.exports = {
 
 ### Nonce
 
+If you are using a [Content Security Policy](https://www.w3.org/TR/CSP3/) (CSP), the injected code will usually be blocked. A workaround is to use a nonce. Note, however, that using a nonce significantly reduces the protection provided by the CSP. You can read more about the security impact in [the specification](https://www.w3.org/TR/CSP3/#security-considerations). The better solution is not to use this loader in production.
+
 There are two ways to work with `nonce`:
 
 - using the `attributes` option
