diff --git a/README.md b/README.md
index 7393dc4..7812974 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,8 @@ That's it. The wizard walks you through:
 4. Database — built-in Postgres or an external one
 5. Redis — built-in or external
 6. Media storage — local directory, built-in MinIO (S3), or external S3
-7. Network — reverse proxy with automatic HTTPS, or a plain HTTP port
+7. Network — bundled Caddy proxy (plain HTTP, or automatic HTTPS for a
+   domain), or no bundled proxy when you publish ports / run your own
 8. The first administrator account
 9. An optional ML service URL
 
@@ -58,13 +59,16 @@ never silently overwrites.
 - **One backend image, two roles.** `git.ollyhearn.ru/olly/mcma-backend` runs
   the API (`uvicorn`, port 8000) and the background worker
   (`arq app.workers.arq_worker.WorkerSettings`) — same image, different command.
-- **The web UI needs a reverse proxy.** `git.ollyhearn.ru/olly/mcma-webui` is a
-  prebuilt static SPA that calls `/api/v1` on its own origin and does not proxy
-  the API itself. So whenever the web UI is deployed, the installer puts **Caddy**
-  in front as the single entrypoint, routing `/api/*`, `/health*` and `/rest/*`
-  to the backend and everything else to the UI. Caddy runs plain HTTP on a port,
-  or gets automatic HTTPS if you provide a domain. A backend-only deploy skips
-  the proxy and publishes the API port directly.
+- **The web UI and API must be same-origin.** `git.ollyhearn.ru/olly/mcma-webui`
+  is a prebuilt static SPA, and the backend sends no CORS headers — so the UI and
+  API have to share an origin. By default the installer puts **Caddy** in front as
+  the single entrypoint, routing `/api/*`, `/health*` and `/rest/*` to the backend
+  and everything else to the UI (plain HTTP on a port, or automatic HTTPS for a
+  domain). The UI's browser-facing API base URL is set at container start from
+  `PUBLIC_API_BASE_URL` (injected into `window.__APP_CONFIG__`, no rebuild needed),
+  defaulting to the same-origin `/api/v1`. If you run your own reverse proxy, pick
+  the "no bundled proxy" option: the installer publishes the UI and API ports and
+  lets you set that base URL. A backend-only deploy publishes the API port directly.
 - **Startup is ordered and fails loud.** Backing services come up and become
   healthy → migrations run → the first admin is created → app services start →
   the API `/health` endpoint is polled. The backend is never started over a