diff --git a/README.md b/README.md
index d0aa43d..4052620 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # ip2nginx
 <p align="center">
   <a href="https://safe-cap.com/" target="_blank">
-    <img src="https://safe-cap.com/git/ip2nginx-logo-250-250.png" width="100" height="100";>
+    <img src="img/ip2nginx-small.png">
   </a>
 	<br><br>
 	<img src="https://img.shields.io/badge/version-0.0.1-green.svg?style=for-the-badge">
@@ -41,21 +41,37 @@
 
 ---
 
-## 🏠 What is ip2nginx?
+🏠 What is ip2nginx?
 
-ip2nginx is a self-hosted system that allows you to make services running on your home network (like a NAS, internal web apps, or router interface) accessible under your own domain — even if your public IP address changes.
+ip2nginx is a self-hosted system that allows you to securely expose services running on your private home network (e.g. NAS, internal web interfaces, or a self-hosted app) under your own domain — without using third-party dynamic DNS services.
 
-Unlike third-party solutions other dynamic DNS providers, this tool gives you full control and privacy by updating your reverse proxy configuration directly, without modifying DNS records or relying on external providers.
+Instead of changing DNS records, it updates the reverse proxy (NGINX) configuration on your public server — making it the only point that needs to be publicly reachable.
+🔐 Why is this more secure?
 
-How It Works:
+Your home server does not need to be exposed to the entire internet. Only your external server (running ip2nginx) needs access. This allows you to:
 
-    Your home device (e.g. pfSense or another gateway) periodically sends its current public IP to your server via an API request.
+    Restrict incoming firewall access at home to just one remote IP (your public server).
 
-    The server updates the reverse proxy configuration (nginx.conf) with the new IP.
+    Avoid direct exposure of your internal services to DDOS or scanning attempts.
 
-    The proxy_pass directive is updated inside the specific location block for the target domain.
+    Offload all public traffic to the external server, preventing your home bandwidth from being overwhelmed.
 
-    NGINX is reloaded automatically to apply changes.
+⚙️ How it works:
+
+    Your home gateway (e.g. pfSense or another device) periodically sends its current public IP to your external server using an authenticated API call.
+
+    The external server updates only the proxy_pass directive inside a specific location block in the NGINX config for your domain.
+
+    NGINX is automatically reloaded to apply the changes.
+
+    From the outside world, visitors reach your external server, which transparently proxies to your home server — using your latest IP.
+
+This gives you full control, avoids third-party dependencies, and increases the security of your home infrastructure.
+
+<p align="center">
+  <img src="https://safe-cap.com/git/ip2nginx-server-small.png" alt="Diagram of a secure home-server access flow using an external NGINX proxy and API updates from the home server.">
+  <br><br>
+</p>
 
 ---
 
@@ -110,8 +126,7 @@ Supports **POST** (preferred) and **GET** methods.
 | `ip`       | ❌       | New public IP (default: auto-detected from request)                         |
 | `domain`   | ❌       | Backend domain to proxy to (default: same as IP)                            |
 | `port`     | ❌       | Port number (default: 443 for https, 80 for http)                           |
-| `protocol` | ❌       | One of `http` or `https` (default: `http`)                                  |
-| `location` | ❌       | NGINX location block path to update (default: `/`)                          |
+| `protocol` | ❌       | One of `http` or `https` (default: `https`)                                  |
 
 Any change in `ip`, `domain`, `port`, or `protocol` triggers `"changed": 1` in `meta.json`.
 
@@ -235,7 +250,7 @@ MIT (or similar): Open-source, free for use and modification.
 ## 🤝 Author
 <p align="center">
   <a href="https://safe-cap.com" target="_blank">
-  <img src="https://safe-cap.com/git/safe-cap-logo.png" width="100" height="100";>
+    <img src="img/safe-cap-logo-small.png" width="100" height="100" alt="SAFE-CAP">
   </a>
   <br><br>
   **Maintained by SAFE-CAP / Alexander Schiemann / https://safe-cap.com**
diff --git a/img/ip2nginx-how-it-work-small.png b/img/ip2nginx-how-it-work-small.png
new file mode 100644
index 0000000..9ff50fc
Binary files /dev/null and b/img/ip2nginx-how-it-work-small.png differ
diff --git a/img/ip2nginx-how-it-work.png b/img/ip2nginx-how-it-work.png
new file mode 100644
index 0000000..ad30f8e
Binary files /dev/null and b/img/ip2nginx-how-it-work.png differ
diff --git a/img/ip2nginx-logo-small.png b/img/ip2nginx-logo-small.png
new file mode 100644
index 0000000..58e1d8f
Binary files /dev/null and b/img/ip2nginx-logo-small.png differ
diff --git a/img/ip2nginx-logo.png b/img/ip2nginx-logo.png
new file mode 100644
index 0000000..8c355d6
Binary files /dev/null and b/img/ip2nginx-logo.png differ
diff --git a/img/safe-cap-logo-small.png b/img/safe-cap-logo-small.png
new file mode 100644
index 0000000..bde93bb
Binary files /dev/null and b/img/safe-cap-logo-small.png differ
diff --git a/img/safe-cap-logo.png b/img/safe-cap-logo.png
new file mode 100644
index 0000000..6d4ba05
Binary files /dev/null and b/img/safe-cap-logo.png differ
diff --git a/update.php b/update.php
index 997e666..59dbedb 100644
--- a/update.php
+++ b/update.php
@@ -40,7 +40,7 @@ function main(): void {
     'token'    => null,
     'ip'       => $clientIp,
     'domain'   => $clientIp, // fallback to IP if domain not given
-    'protocol' => 'http',
+    'protocol' => 'https',
     'port'     => null,
   ]);