diff --git a/README.md b/README.md
index 9959164..1909a14 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,9 @@ Create a configuration file in YAML format somewhere:
 # listen address and port
 host: "0.0.0.0"
 port: "8080"
+# optional: drop priviliges in case you want to but you should give this user at least read access on the log files
+user: "nobody"
+group: "nogroup"
 # logfile is optional, logs to STDOUT else
 logfile: "openvpn-status-web.log"
 # display name for humans and the status file path
diff --git a/lib/openvpn-status-web.rb b/lib/openvpn-status-web.rb
index 9320115..5e401b3 100644
--- a/lib/openvpn-status-web.rb
+++ b/lib/openvpn-status-web.rb
@@ -105,6 +105,10 @@ module OpenVPNStatusWeb
 
       OpenVPNStatusWeb.logger.info "Starting..."
 
+      # drop privs (first change group than user)
+      Process::Sys.setgid(Etc.getgrnam(config['group']).gid) if config['group']
+      Process::Sys.setuid(Etc.getpwnam(config['user']).uid) if config['user']
+
       # configure rack
       app = Daemon.new(config['vpns'])
       if ENV['RACK_ENV'] == "development"