diff --git a/README.md b/README.md
index 5f423ec..8d010d6 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,9 @@ but these are defined as git submodules, so `install.sh` takes care of them.
 
 * Install dependencies mentioned above
 * Run `./install.sh` to create `cherrypy.config` and `appdir.py`
-* Edit `cherrypy.config` (at least edit the user:password@ at the rpc url)
+* Edit `cherrypy.config` (at least edit the user`:`pwd`@` at `rpc_url`,
+  but it's also recommended to uncomment and edit the `browser_user` and `browser_password`
+  lines to enable basic authentication *before* someone develops a swizzler-specific trojan ;) )
 
 ### To run
 * `python swizzler.py`
diff --git a/cherrypy.config.example b/cherrypy.config.example
index 2edb6d6..1f87176 100644
--- a/cherrypy.config.example
+++ b/cherrypy.config.example
@@ -8,6 +8,12 @@ num_messages: 23 # number of messages per page
 num_trending_tags: 42 # let's party
 hash_salt: 'RANDOM'
 
+### Optional (but highly recommended):
+### Uncomment and edit these lines to protect Swizzler with basic browser auth
+### and block [e.g.] trojans from reading your DMs etc.
+#browser_user: 'myeasytorememberuser'
+#browser_password: 'myeasytorememberpassword'
+
 [/]
 tools.staticdir.root: "/PATH/HERE/static"
 
diff --git a/install.sh b/install.sh
index 47b9702..3e2005c 100755
--- a/install.sh
+++ b/install.sh
@@ -11,6 +11,7 @@ else
         < cherrypy.config.example > cherrypy.config
     echo "created cherrypy.config. Now edit it to taste ;)"
 fi
+chmod 600 cherrypy.config # chmod even if it exists :)
 if [ ! -f appdir.py ] ; then
     echo "# Stupid but effective trick to know where we are:">appdir.py
     echo "APPDIR = '$(pwd)'">>appdir.py
diff --git a/swizzler.py b/swizzler.py
index 2b2a1c4..11ce721 100644
--- a/swizzler.py
+++ b/swizzler.py
@@ -138,5 +138,13 @@ if __name__ == '__main__':
     cherrypy.config.update('{0}/cherrypy.config'.format(APPDIR))
     app = SwizzlerApp()
     cherrypy.tree.mount(app,'/',config='{0}/cherrypy.config'.format(APPDIR))
+    conf = cherrypy.tree.apps[''].config
+    u,p = conf['swizzler'].get('browser_user'),conf['swizzler'].get('browser_password')
+    print u,p
+    if u and p:
+        conf['/'].update({ 'tools.basic_auth.on': True,
+            'tools.basic_auth.realm': 'Swizzler VIP lounge',
+            'tools.basic_auth.users': {u:p}, 
+            'tools.basic_auth.encrypt': lambda x: x})
     cherrypy.engine.start()
     cherrypy.engine.block()