Copy security note from @tsawler

youchenlee · web-flow · commit 96502fc25b58 · 2017-05-02T11:43:49.000+08:00
Source: https://github.com/tsawler/laravel-filemanager/blob/c92aefe790a0648db885c830204502b919ff15f0/README.md#security
diff --git a/README.md b/README.md
@@ -19,7 +19,27 @@
    * Fix Windows compatibility.
    * Fix file cannot be uploaded to "File Mode".
    * Config file is also refactored, see [config document](https://unisharp.github.io/laravel-filemanager/config).
-  
+
+## Security
+
+It is important to note that if you use your own routes **you must protect your routes to Laravel-Filemanager in order to prevent unauthorized uploads to your server**. Fortunately, Laravel makes this very easy.
+
+If, for example, you want to ensure that only logged in users have the ability to access the Laravel-Filemanager, simply wrap the routes in a group, perhaps like this:
+
+```php
+Route::group(array('before' => 'auth'), function ()
+{
+    Route::get('/laravel-filemanager', '\Tsawler\Laravelfilemanager\controllers\LfmController@show');
+    Route::post('/laravel-filemanager/upload', '\Tsawler\Laravelfilemanager\controllers\LfmController@upload');
+    // list all lfm routes here...
+});
+```
+
+This approach ensures that only authenticated users have access to the Laravel-Filemanager. If you are using Middleware or some other approach to enforce security, modify as needed.
+
+**If you use the laravel-filemanager default route, make sure the `auth` middleware (set in config/lfm.php) is enabled and functional**.
+
+
 ## Credits
 Special thanks to
 
