Add comment

lib/cli.js

@@ -17,7 +17,7 @@ module.exports = function() {
     .option('-P, --plugin-path [path]', 'look for plugins installed at [path] as well as the default locations ([path] can also point to a single plugin)', function(p) { Plugin.addPluginPath(p); })
     .option('-U, --user-storage-path [path]', 'look for homebridge user files at [path] instead of the default location (~/.homebridge)', function(p) { User.setStoragePath(p); })
     .option('-D, --debug', 'turn on debug level logging', function() { require('./logger').setDebugEnabled(true) })
-    .option('-I, --insecure', 'allow insecure access to homebridge', function() { insecureAccess = true; })
+    .option('-I, --insecure', 'allow unauthenticated requests (for easier hacking)', function() { insecureAccess = true })
     .parse(process.argv);
 
   // Initialize HAP-NodeJS with a custom persist directory

lib/server.js

@@ -25,6 +25,11 @@ function Server(insecureAccess) {
   this._config = this._loadConfig();
   this._bridge = this._createBridge();
 
+  // Server is "secure by default", meaning it creates a top-level Bridge accessory that
+  // will not allow unauthenticated requests. This matches the behavior of actual HomeKit
+  // accessories. However you can set this to true to allow all requests without authentication,
+  // which can be useful for easy hacking. Note that this will expose all functions of your
+  // bridged accessories, like changing charactersitics (i.e. flipping your lights on and off).
   this._allowInsecureAccess = insecureAccess || false;
 }