From e5f19cedac9edcc754dda7807f99e834614763d6 Mon Sep 17 00:00:00 2001
From: Lukas Elmer <lukas.elmer@gmail.com>
Date: Mon, 14 Nov 2022 17:45:37 +0100
Subject: [PATCH] docs: add note on length of secret

closes #919
---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index b5dbcba5..6ce6ae4a 100644
--- a/README.md
+++ b/README.md
@@ -295,6 +295,9 @@ the secret without invalidating sessions, provide an array of secrets, with the
 secret as first element of the array, and including previous secrets as the later
 elements.
 
+**Note** HMAC-256 is used to sign the session ID. For this reason, the secret should
+contain at least 32 bytes of entropy.
+
 ##### store
 
 The session store instance, defaults to a new `MemoryStore` instance.