diff --git a/README.md b/README.md
index c04d961e..2c17e5e3 100644
--- a/README.md
+++ b/README.md
@@ -40,9 +40,10 @@ without loosing any data.
 
 - As a user you have to trust the server administrator, your internet provider
   and any country the traffic passes not to inject any malicious javascript code.
-  Ideally, the PrivateBin installation used should provide HTTPS, secured by
+  For a basic security the PrivateBin installation *has to provide HTTPS*!
+  Additionally it should be secured by
   [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and
-  [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a
+  ideally by [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a
   certificate either validated by a trusted third party (check the certificate
   when first using a new PrivateBin instance) or self-signed by the server
   operator, validated using a