From 505cd353c82bb788e870e1f413ee88c314a8d03d Mon Sep 17 00:00:00 2001
From: jfcheng <jianfeng.cheng@gmail.com>
Date: Sun, 22 Feb 2026 21:17:42 -0500
Subject: [PATCH] docs: Clarify order of Cloudflare Access setup to prevent
 container exposure

---
 webtop/SETUP.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/webtop/SETUP.md b/webtop/SETUP.md
index 4707609..37366eb 100644
--- a/webtop/SETUP.md
+++ b/webtop/SETUP.md
@@ -46,7 +46,8 @@ Webtop provides a full Linux desktop environment (Ubuntu XFCE) directly in your
 > [!CAUTION]
 > The Webtop container gives anyone who accesses it a passwordless root terminal (`sudo`) *within* the container. You **must not** expose this to the public internet (e.g., via Cloudflare Tunnel) without an authentication layer in front of it.
 
-If you are routing `webtop.chengs.uk` through a Cloudflare Tunnel, follow these steps to secure it with Cloudflare Access:
+If you are routing `webtop.chengs.uk` through a Cloudflare Tunnel, follow these steps to secure it with Cloudflare Access. **CRITICAL: Do this BEFORE adding the public hostname to your Cloudflare Tunnel to ensure zero exposure time.**
+
 1. Go to your **Cloudflare Zero Trust** Dashboard (`one.dash.cloudflare.com`).
 2. Navigate to **Access** -> **Applications** and click **Add an Application**.
 3. Choose **Self-hosted**.