Add note about CORS + Basic auth

README.md

@@ -192,7 +192,7 @@ $env:MESHCORE_SERIAL_PORT="COM8" # or your COM port
 uv run uvicorn app.main:app --host 0.0.0.0 --port 8000
 ```
 
-If you enable Basic Auth, protect the app with HTTPS. HTTP Basic credentials are not safe on plain HTTP.
+If you enable Basic Auth, protect the app with HTTPS. HTTP Basic credentials are not safe on plain HTTP. Also note that the app's permissive CORS policy is a deliberate trusted-network tradeoff, so cross-origin browser JavaScript is not a reliable way to use that Basic Auth gate.
 
 ## Where To Go Next
 

frontend/src/components/CrackerPanel.tsx

@@ -611,7 +611,8 @@ export function CrackerPanel({
         pick up messages it couldn't crack, attempting them at one longer length.
         <strong> Try word pairs</strong> will also try every combination of two dictionary words
         concatenated together (e.g. "hello" + "world" = "#helloworld") after the single-word
-        dictionary pass; this can substantially increase search time.
+        dictionary pass; this can substantially increase search time and also result in
+        false-positives.
         <strong> Decrypt historical</strong> will run an async job on any room name it finds to see
         if any historically captured packets will decrypt with that key.
         <strong> Turbo mode</strong> will push your GPU to the max (target dispatch time of 10s) and