diff --git a/.travis.yml b/.travis.yml
index ab6047f2d191d9ddc231c1b2a3d3073baed14b2d..214d8419661a6fac5a219e263c578d9f831c2c14 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -61,7 +61,7 @@ deploy:
 
   - provider: script
     skip_cleanup: true
-    script: docker build -f ./scripts/ci.dockerfile --build-arg -t codercom/code-server:"$TAG" -t codercom/code-server:v2 . && docker push codercom/code-server:"$TAG" && docker push codercom/code-server:v2
+    script: docker build -f ./scripts/ci.dockerfile -t codercom/code-server:"$TAG" -t codercom/code-server:v2 . && docker push codercom/code-server:"$TAG" && docker push codercom/code-server:v2
     on:
       repo: cdr/code-server
       branch: master
diff --git a/README.md b/README.md
index ca6cdc54cff6af832bea927c82bd5e7766d8575d..182402b097e348030c3a7a534154fd32fb6fdc02 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,33 @@ arguments when launching code-server with Docker. See
 - For self-hosting and other information see [doc/quickstart.md](doc/quickstart.md).
 - For hosting on cloud platforms see [doc/deploy.md](doc/deploy.md).
 
+## Security
+
+### Authentication
+To enable built-in password authentication use `code-server --auth password`. By
+default it will use a randomly generated password but you can set the
+`$PASSWORD` environment variable to use your own.
+
+Do not expose `code-server` to the open internet without some form of
+authentication.
+
+### Encrypting traffic with HTTPS
+If you aren't doing SSL termination elsewhere you can directly give
+`code-server` a certificate with `code-server --cert` followed by the path to
+your certificate. Additionally, you can use certificate keys with `--cert-key`
+followed by the path to your key. If you pass `--cert` without any path
+`code-server` will generate a self-signed certificate.
+
+If `code-server` has been passed a certificate it will also respond to HTTPS
+requests and will redirect all HTTP requests to HTTPS. Otherwise it will respond
+only to HTTP requests.
+
+You can use [Let's Encrypt](https://letsencrypt.org/) to get an SSL certificate
+for free.
+
+Do not expose `code-server` to the open internet without SSL, whether built-in
+or through a proxy.
+
 ### Build
 
 See
diff --git a/doc/quickstart.md b/doc/quickstart.md
index db76d15fcafb5b56fc96707a49f8c2c135cd66cc..318bbebaef764d010863ddf9dc628fe0e05d1c4f 100644
--- a/doc/quickstart.md
+++ b/doc/quickstart.md
@@ -7,15 +7,6 @@
 ## Usage
 Run `code-server --help` to view available options.
 
-### Encrypting traffic with HTTPS
-To encrypt the traffic between the browser and server use `code-server --cert`
-followed by the path to your certificate. Additionally, you can use certificate
-keys with `--cert-key` followed by the path to your key. If you pass `--cert`
-without any path code-server will generate a self-signed certificate.
-
-You can use [Let's Encrypt](https://letsencrypt.org/) to get an SSL certificate
-for free.
-
 ### Nginx Reverse Proxy
 The trailing slashes are important.