diff --git a/INSTALL.md b/INSTALL.md
index c17ab0f..72fe4b1 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -102,3 +102,13 @@ and Docker Compose (version 1.6.0 or greater) already installed.
         proxy_set_header X-Script-Name     /szuru;
     }
     ```
+
+3. **Preparing for production**
+
+    If you plan on using szurubooru in a production setting, you may opt to
+    use a reverse proxy for added security and caching capabilities. Start
+    by having the client docker listen only on localhost by changing `PORT`
+    in your `.env` file to `127.0.0.1:8080` instead of simply `:8080`. Then
+    configure NGINX (or your caching/reverse proxy server of your choice)
+    to proxy_pass `http://127.0.0.1:8080`. We've included an example config
+    located in the `nginx-vhost.production` file.
diff --git a/client/nginx.conf.docker b/client/nginx.conf.docker
index c9d77ea..43a2d9f 100644
--- a/client/nginx.conf.docker
+++ b/client/nginx.conf.docker
@@ -15,7 +15,7 @@ http {
     log_format main '$remote_addr -> $request [$status] - '
                     'referer: $http_referer $http_x_forwarded_for';
     access_log /dev/stdout main;
-
+    server_tokens off;
     sendfile on;
     keepalive_timeout 65;
     client_max_body_size 100M;
diff --git a/example.env b/example.env
index 25a6235..37c9cfa 100644
--- a/example.env
+++ b/example.env
@@ -6,6 +6,8 @@ POSTGRES_PASSWORD=changeme
 BUILD_INFO=latest
 
 # Port to expose HTTP service
+# Set to 127.0.0.1:8080 if you wish to reverse-proxy the docker's port,
+# otherwise the port specified here will be publicly accessible
 PORT=8080
 
 # Directory to store image data
diff --git a/nginx.vhost.production b/nginx.vhost.production
new file mode 100644
index 0000000..5a95b52
--- /dev/null
+++ b/nginx.vhost.production
@@ -0,0 +1,49 @@
+# example for a production vhost for szurubooru.
+# ideally, use ssl termination + cdn with a provider such as cloudflare.
+# modify as needed!
+
+# rate limiting zone
+# poor man's ddos protection, essentially
+limit_req_zone $binary_remote_addr zone=throttle:10m rate=25r/s;
+
+# www -> non-www
+server {
+  listen 80;
+  listen [::]:80;
+  server_tokens off;
+  server_name www.example.com
+  return 301 http://example.com$request_uri;
+}
+
+server {
+  server_name example.com;
+  client_max_body_size 100M;
+  client_body_timeout 30s;
+  server_tokens off;
+  location / {
+    limit_req zone=throttle burst=5 delay=3;
+    proxy_http_version 1.1;
+    proxy_pass http://127.0.0.1:8080;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Script-Name /szuru;
+    error_page 500 501 502 504 505 506 507 508 509 510 511 @err;
+    error_page 503 @throttle;
+  }
+
+  location @err {
+    return 500 "server error. please try again later.";
+    default_type text/plain;
+  }
+  location @throttle {
+    return 503 "we've detected abuse on your ip. please wait and try again later.";
+    default_type text/plain;
+  }
+  listen 80;
+  listen [::]:80;
+}