Add a note on securing SBA to the docs

spring-boot-admin-docs/src/main/asciidoc/index.adoc

@@ -25,4 +25,6 @@ include::client.adoc[]
 
 include::server.adoc[]
 
+include::security.adoc[]
+
 include::faqs.adoc[]
\ No newline at end of file

spring-boot-admin-docs/src/main/asciidoc/security.adoc

+[[securing-spring-boot-admin]]
+== Security ==
+
+=== Securing Spring Boot Admin Server ===
+
+Since there are several approaches on solving authentication and authorization in distributed web applications Spring Boot Admin doesn't ship a default one.
+However you can include Spring Security to your Spring Boot Admin Server and configure it the way you like.
+
+=== Securing Client's Actuator Endpoints ===
+
+The simplest way to secure your actuator endpoints is to use basic authorization and the same username/password for all applications. This way the browser asks for the credentials and if you set `zuul.senstivieHeaders:` the Zuul Proxy in Spring Boot Admin Server forwards them to the clients.
+
+For more complex solutions (Spring Session, OAuth2, ...) please have a look at the samples in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].

spring-boot-admin-docs/src/main/asciidoc/server-notifications.adoc

@@ -199,7 +199,7 @@ To enable Hipchat notifications you need to create an API token from you Hipchat
 
 | spring.boot.admin.notify.hipchat.description
 | Description to use in the event. SpEL-expressions are supported
-| `+++"<strong>#{application.name}</strong>/#{application.id} is <strong>#{to.status}</strong>"+++`
+| `+++"&lt;strong&gt;#{application.name}&lt;/strong&gt;/#{application.id} is &lt;strong&gt;#{to.status}&lt;/strong&gt;"+++`
 |
 |===