Docs + Types server: Add comments about script-security

2 files changed, 3 insertions, 1 deletions

diff --git a/docs/src/api/overview/README.md b/docs/src/api/overview/README.md
index 989e8a6..4ad1a2c 100644
--- a/docs/src/api/overview/README.md
+++ b/docs/src/api/overview/README.md
@@ -202,7 +202,7 @@ State transitions that must be handled:
 - `Ask_Location`: For asking the secure internet location. Acknowledge the request with [SetSecureLocation](#set-secure-location)
 
 Return type:
-- The VPN configuration with associated data (`types.server.Configuration`). Note that this also contains Tokens that can be saved by the client.
+- The VPN configuration with associated data (`types.server.Configuration`). Note that this also contains Tokens that can be saved by the client. Note that the VPN configuration itself has "script-security 0" added to the end if it's an OpenVPN config. This is to disable OpenVPN scripts from being run by default. A client may override this if it has a good reason to.
 - An error
 
 ### Expiry Times
diff --git a/types/server/server.go b/types/server/server.go
index 9747ebf..ae73f45 100644
--- a/types/server/server.go
+++ b/types/server/server.go
@@ -107,6 +107,8 @@ type List struct {
 // Configuration is the configuration that you get back when you call the get config function
 type Configuration struct {
 	// VPNConfig is the VPN Configuration, a WireGuard or OpenVPN Configuration
+	// In case of OpenVPN, we append "script-security 0" to disable scripts from being run by default.
+	// A client may override this, e.g. for, very trusted, pre-provisioned VPNs
 	VPNConfig      string            `json:"config"`
 	// Protocol defines which protocol the configuration is for, OpenVPN or WireGuard
 	Protocol       protocol.Protocol `json:"protocol"`