diff --git a/app/Http/Controllers/AppController.php b/app/Http/Controllers/AppController.php
index f7240d317def..7d92ba73a9eb 100644
--- a/app/Http/Controllers/AppController.php
+++ b/app/Http/Controllers/AppController.php
@@ -269,6 +269,12 @@ class AppController extends BaseController
     public function update()
     {
         if (! Utils::isNinjaProd()) {
+            if ($password = env('UPDATE_SECRET')) {
+                if (! hash_equals($password, request('secret') ?: '')) {
+                    abort(400, 'Invalid secret: /update?secret=<value>');
+                }
+            }
+
             try {
                 set_time_limit(60 * 5);
                 $this->checkInnoDB();
diff --git a/docs/configure.rst b/docs/configure.rst
index 0d4933d2de8e..1b93c9f1dd90 100644
--- a/docs/configure.rst
+++ b/docs/configure.rst
@@ -94,6 +94,15 @@ Follow these steps to add a custom driver.
 
 .. NOTE:: Most drivers also require `code changes <https://github.com/invoiceninja/invoiceninja/tree/master/app/Ninja/PaymentDrivers>`_ to work correctly.
 
+Security
+""""""""
+
+To require a password to update the app add ``UPDATE_SECRET=random_value`` to the .env file and then use /update?secret=random_value to update.
+
+By default the app clears the session when the browser is closed and automatically logs the user out after 8 hours.
+
+This can be modified by setting ``REMEMBER_ME_ENABLED`` and ``AUTO_LOGOUT_SECONDS`` in the .env file.
+
 Google Map
 """"""""""
 
@@ -128,12 +137,6 @@ If you need to set a list of trusted proxies you can add a TRUSTED_PROXIES value
 
    TRUSTED_PROXIES='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
 
-Stay logged in
-""""""""""""""
-
-By default the app clears the session when the browser is closed and automatically logs the user out after 8 hours.
-
-This can be modified by setting ``REMEMBER_ME_ENABLED`` and ``AUTO_LOGOUT_SECONDS`` in the .env file.
 
 Customizations
 """"""""""""""