diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
index b96f9ce..8c7326f 100644
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -62,6 +62,12 @@ podman-compose --env-file .env.demo -f demo.yml up -d
 # 3. Access at http://localhost:4322
 ```
 
+For VPS deployments, it is recommended to bind demo ports to localhost and put a reverse proxy (TLS) in front.
+
+- Set `BACKEND_BIND_HOST=127.0.0.1` and `FRONTEND_BIND_HOST=127.0.0.1` in `compose/.env.demo`
+- Point `API_BASE` at your public domain (for example `https://openlikwid.org`)
+- Serve the demo via the reverse proxy on `80/443`
+
 ## Demo Instance Details
 
 ### Demo Accounts
@@ -115,7 +121,9 @@ podman-compose --env-file compose/.env.demo -f compose/demo.yml up -d
 | DB_PORT           | 5432              | 5433                      | Database port                  |
 | JWT_SECRET        | (required)        | demo_jwt_secret_...       | JWT signing secret             |
 | BACKEND_PORT      | 3000              | 3001                      | Backend API port               |
+| BACKEND_BIND_HOST | 0.0.0.0           | 0.0.0.0                   | Backend bind host for published port (set to `127.0.0.1` on VPS) |
 | FRONTEND_PORT     | 4321              | 4322                      | Frontend port                  |
+| FRONTEND_BIND_HOST| 0.0.0.0           | 0.0.0.0                   | Frontend bind host for published port (set to `127.0.0.1` on VPS) |
 | API_BASE          | (your domain)     | http://localhost:3001     | Public API URL                 |
 | DEMO_MODE         | false             | true                      | Enable demo features           |
 
diff --git a/docs/admin/demo-operations.md b/docs/admin/demo-operations.md
index 0117256..7456d30 100644
--- a/docs/admin/demo-operations.md
+++ b/docs/admin/demo-operations.md
@@ -12,8 +12,9 @@ The demo is intended for public browsing and for guided exploration of a pre-see
 
 ## Services and ports
 
-- Frontend: `http://<host>:4322`
-- Backend API: `http://<host>:3001`
+- Public demo URL (recommended): `https://openlikwid.org/`
+- Frontend (local-only on VPS): `http://127.0.0.1:4322`
+- Backend API (local-only on VPS): `http://127.0.0.1:3001`
 - Database: not exposed publicly (bound to localhost in VPS deployments)
 
 ## Deploy/update (VPS)
@@ -51,5 +52,5 @@ Resetting is destructive and recreates the demo database.
 ## Security notes
 
 - Keep the database port closed to the public internet.
-- Prefer TLS and a reverse proxy once a domain is available.
+- Prefer TLS and a reverse proxy.
 - Treat demo credentials as public; the demo is not a private environment.