diff --git a/README.md b/README.md
index f8725c6..c579b14 100644
--- a/README.md
+++ b/README.md
@@ -33,4 +33,16 @@ Advanced usage:
     known-hosts-content: "[hostname]:2222 ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 ```
 
+## Recommended setup on the remote server
+
+To force the action to only write to a specific directory,
+and to prevent excessive damage should the SSH key be compromised,
+it is recommended to force the command in the `authorized_keys` file.
+
+```shell
+command="rrsync -wo /directory/to/write/to",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+```
+
+The path specified in `target` will now be relative to `/directory/to/write/to`.
+
 [rsync]: https://rsync.samba.org/
\ No newline at end of file