diff --git a/miniupnpd/Changelog.txt b/miniupnpd/Changelog.txt
index 1b8e815..9fe8872 100644
--- a/miniupnpd/Changelog.txt
+++ b/miniupnpd/Changelog.txt
@@ -1,8 +1,9 @@
-$Id: Changelog.txt,v 1.500 2023/05/27 09:55:39 nanard Exp $
+$Id: Changelog.txt,v 1.501 2023/05/27 16:49:14 nanard Exp $
 
 2023/05/27:
   option enable_natpmp => enable_pcp_pmp
   add a short list of build-time options in --version output
+  enable secure mode by default
 
 VERSION 2.3.3 : released on 2023/02/17
 
diff --git a/miniupnpd/miniupnpd.c b/miniupnpd/miniupnpd.c
index 77757ff..61ff4e0 100644
--- a/miniupnpd/miniupnpd.c
+++ b/miniupnpd/miniupnpd.c
@@ -1,4 +1,4 @@
-/* $Id: miniupnpd.c,v 1.256 2023/05/27 09:55:40 nanard Exp $ */
+/* $Id: miniupnpd.c,v 1.257 2023/05/27 16:49:17 nanard Exp $ */
 /* vim: tabstop=4 shiftwidth=4 noexpandtab
  * MiniUPnP project
  * http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
@@ -1214,7 +1214,7 @@ init(int argc, char * * argv, struct runtime_vars * v)
 #endif /* DISABLE_CONFIG_FILE */
 
 	/* set initial values */
-	SETFLAG(ENABLEUPNPMASK);	/* UPnP is enabled by default */
+	SETFLAG(ENABLEUPNPMASK | SECUREMODEMASK);	/* UPnP and secure mode */
 #ifdef ENABLE_IPV6
 	ipv6_bind_addr = in6addr_any;
 #endif /* ENABLE_IPV6 */
@@ -1440,8 +1440,8 @@ init(int argc, char * * argv, struct runtime_vars * v)
 					CLEARFLAG(ENABLEUPNPMASK);
 				break;
 			case UPNPSECUREMODE:
-				if(strcmp(ary_options[i].value, "yes") == 0)
-					SETFLAG(SECUREMODEMASK);
+				if (strcmp(ary_options[i].value, "no") == 0)
+					CLEARFLAG(SECUREMODEMASK);
 				break;
 #ifdef ENABLE_LEASEFILE
 			case UPNPLEASEFILE:
@@ -1614,7 +1614,14 @@ init(int argc, char * * argv, struct runtime_vars * v)
 			break;
 #endif	/* defined(USE_PF) || defined(USE_IPF) */
 		case 'S':
-			SETFLAG(SECUREMODEMASK);
+			/* -S0 to disable secure mode, for backward compatibility
+			 * -S is ignored */
+			if (argv[i][2] == '0') {
+				CLEARFLAG(SECUREMODEMASK);
+			} else if (argv[i][2] != '\0') {
+				INIT_PRINT_ERR("Uses -S0 to disable secure mode.\n");
+				goto print_usage;
+			}
 			break;
 		case 'i':
 			if(i+1 < argc) {
@@ -2019,7 +2026,7 @@ print_usage:
 #if defined(USE_PF) || defined(USE_IPF)
 			" [-L]"
 #endif
-			" [-U] [-S]"
+			" [-U] [-S0]"
 #ifdef ENABLE_NATPMP
 			" [-N]"
 #endif
@@ -2059,7 +2066,7 @@ print_usage:
 #if defined(USE_PF) || defined(USE_IPF)
 			"\t-L sets packet log in pf and ipf on.\n"
 #endif
-			"\t-S sets \"secure\" mode : clients can only add mappings to their own ip\n"
+			"\t-S0 disable \"secure\" mode so clients can add mappings to other ips\n"
 			"\t-U causes miniupnpd to report system uptime instead "
 			"of daemon uptime.\n"
 #ifdef ENABLE_NATPMP
diff --git a/miniupnpd/miniupnpd.conf b/miniupnpd/miniupnpd.conf
index f23a1c4..80f6847 100644
--- a/miniupnpd/miniupnpd.conf
+++ b/miniupnpd/miniupnpd.conf
@@ -118,8 +118,8 @@
 #bitrate_down=10000000
 
 # Secure Mode, UPnP clients can only add mappings to their own IP
-#secure_mode=yes
-secure_mode=no
+# Enabled by default
+#secure_mode=no
 
 # Default presentation URL is HTTP address on port 80
 # If set to an empty string, no presentationURL element will appear