diff --git a/mopidy/frontends/http/__init__.py b/mopidy/frontends/http/__init__.py
index a23886f8..6f90c1a2 100644
--- a/mopidy/frontends/http/__init__.py
+++ b/mopidy/frontends/http/__init__.py
@@ -20,6 +20,15 @@ Frontend which lets you control Mopidy through HTTP and WebSockets.
 When this frontend is included in :attr:`mopidy.settings.FRONTENDS`, it starts
 a web server at the port specified by :attr:`mopidy.settings.HTTP_SERVER_PORT`.
 
+As a simple security measure, the web server is by default only available from
+localhost. To make it available from other computers, change
+:attr:`mopidy.settings.HTTP_SERVER_HOSTNAME`. Before you do so, note that the
+HTTP frontend does not feature any form of user authentication or
+authorization. Anyone able to access the web server can use the full core API
+of Mopidy. Thus, you probably only want to make the web server available from
+your local network or place it behind a web proxy which takes care or user
+authentication. You have been warned.
+
 This web server exposes a WebSocket at ``/ws``. The WebSocket gives you access
 to Mopidy's full API and enables Mopidy to instantly push events to the client,
 as they happen.