diff --git a/core/middleware.py b/core/middleware.py
new file mode 100644
index 0000000..35f7e3d
--- /dev/null
+++ b/core/middleware.py
@@ -0,0 +1,6 @@
+import settings
+
+class FinetoothEnvironmentMiddleware:
+    def process_request(self, request):
+        request.possible_environments = settings.Environment
+        request.environment = settings.ENVIRONMENT
diff --git a/settings.py b/settings.py
index a7b9671..565220b 100644
--- a/settings.py
+++ b/settings.py
@@ -9,7 +9,9 @@
 
 BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 
-Environment = Enum('Environment', ("development", "heroku_demo"))
+Environment = Enum('Environment', ("development", "heroku_demo",
+                                   # unused as yet---
+                                   "production"))
 
 # XXX: surely there must be a better way to detect deployment
 # environment at runtime?
@@ -50,6 +52,7 @@
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'core.middleware.FinetoothEnvironmentMiddleware'
 )
 
 ROOT_URLCONF = 'urls'
diff --git a/templates/includes/demo_disclaimer.html b/templates/includes/demo_disclaimer.html
new file mode 100644
index 0000000..cc23bed
--- /dev/null
+++ b/templates/includes/demo_disclaimer.html
@@ -0,0 +1,19 @@
+<div class="alert alert-warning">
+  <p>
+    <i class="glyphicon glyphicon-warning-sign"></i>
+    This instance of the Finetooth software is being run for
+    <strong>purposes of demonstration only</strong>. The site
+    operators make no promises about the integrity of your data. (That
+    is, if we take the site down or delete stuff for some reason or no
+    reason, we won't feel bad about it.)
+  </p>
+  <p>
+    {% if not request.is_secure %}
+      Relatedly, this page is <em><strong>not</strong></em> being
+      served over an encrypted connection! (Sorry.) It is
+      technologically feasible for third parties to intercept your
+      password! <strong>Don't reuse a password here</strong> that you
+      care about being kept secret!
+    {% endif %}
+  </p>
+</div>
diff --git a/templates/login.html b/templates/login.html
index 5368834..3ade36a 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -9,6 +9,11 @@
   <p>{{ form.errors }}</p>
 {% endif %}
 
+{% if request.environment != request.possible_environments.production %}
+  {% include "includes/demo_disclaimer.html" %}
+{% endif %}
+
+
 <form method="post" action="{% url 'login' %}">
 {% csrf_token %}
 <table>
diff --git a/templates/sign_up.html b/templates/sign_up.html
index 734e539..54b58d4 100644
--- a/templates/sign_up.html
+++ b/templates/sign_up.html
@@ -3,6 +3,11 @@
 {% block subtitle %}Sign up{% endblock %}
 
 {% block content %}
+
+{% if request.environment != request.possible_environments.production %}
+  {% include "includes/demo_disclaimer.html" %}
+{% endif %}
+
 <form action="{% url 'sign_up' %}" method="post">
 {% csrf_token %}
 {{ signup_form.as_p }}