diff --git a/hub/README.md b/hub/README.md
index d220ee8..8bdd5e3 100644
--- a/hub/README.md
+++ b/hub/README.md
@@ -188,7 +188,7 @@ Synchronizer-token CSRF protection on all browser POST/DELETE/PATCH operations:
- **Managed + reporting:** Full view — config info, system metrics, storage, containers, backup status, events timeline (last 50, severity filter), credentials, setup commands, YAML preview, controller update, notifications (with channel column), history
- **Managed + no reports yet:** Config info, credentials, setup commands, "Waiting for first report" indicator
- **Manual (report-only):** System metrics, storage, containers, backup, with "Create Config" button to convert to managed
-- **Config Form (`/configs/new`, `/configs/{id}/edit`)** — Create/edit customer configurations with identity, infrastructure tokens, and monitoring overrides. Legacy Monitoring UUIDs section collapsed by default with deprecation notice
+- **Config Form (`/configs/new`, `/configs/{id}/edit`)** — Create/edit customer configurations with identity, infrastructure tokens, and monitoring overrides. Legacy Monitoring UUIDs section collapsed by default with deprecation notice. CF API token requires **Zone DNS:Edit** (ACME) and **Zone WAF:Edit** (geo-restriction) permissions.
### Customer States
diff --git a/hub/internal/web/templates/config_form.html b/hub/internal/web/templates/config_form.html
index 71429b6..80e48bb 100644
--- a/hub/internal/web/templates/config_form.html
+++ b/hub/internal/web/templates/config_form.html
@@ -76,7 +76,8 @@
+ placeholder="DNS-01 + WAF permissions">
+ Szükséges jogosultságok: Zone DNS:Edit (ACME), Zone WAF:Edit (geo-korlátozás)