diff --git a/docs/csaf_aggregator.md b/docs/csaf_aggregator.md
index 25e3b16..2109f63 100644
--- a/docs/csaf_aggregator.md
+++ b/docs/csaf_aggregator.md
@@ -22,9 +22,13 @@ Usage example for a single run, to test if the config is good:
 
 Once the config is good, you can run the aggregator periodically
 in two modes. For instance using `cron` on Ubuntu and after placing
-the config file in `/etc/csaf_aggregator.toml`:
+the config file in `/etc/csaf_aggregator.toml` and making sure
+its permissions only allow the user `www-data` to read it:
 
 ```bash
+chown www-data /etc/csaf_aggregator.toml
+chmod go-rwx /etc/csaf_aggregator.toml
+
 mkdir /var/log/csaf_aggregator
 mkdir ~www-data/bin
 cp bin-linux-amd64/csaf_aggregator ~www-data/bin/
@@ -48,6 +52,21 @@ SHELL=/bin/bash
 ```
 
 
+#### serve via web server
+
+Serve the paths where the aggregator writes its `html/` output
+by means of a webserver.
+In the config example below place is configured by the path given for `web`.
+
+The user running the aggregator has to be able to write there
+and the web server must be able to read the files.
+
+If you are using nginx, the setup instructions for the provider provide
+and example. You can leave out the cgi-bin part,
+potentially commend out the TLS client parts and
+adjust the `root` path accordingly.
+
+
 ### config options
 
 The following options can be used in the config file in TOML format:
diff --git a/docs/scripts/testAggregator.sh b/docs/scripts/testAggregator.sh
index ecc0a8d..1da909e 100755
--- a/docs/scripts/testAggregator.sh
+++ b/docs/scripts/testAggregator.sh
@@ -13,7 +13,7 @@ set -e  # to exit if a command in the script fails
 # The same directory name used in the config-example file.
 sudo mkdir /var/csaf_aggregator
 sudo chgrp -R www-data /var/csaf_aggregator
-sudo chmod -R g+w /var/csaf_aggregator
+sudo chmod -R g+ws /var/csaf_aggregator
 
 cd ~/csaf_distribution/
 sudo ./bin-linux-amd64/csaf_aggregator -c docs/examples/aggregator.toml