diff --git a/README.md b/README.md
index 2a598b42..921bba13 100644
--- a/README.md
+++ b/README.md
@@ -1040,6 +1040,8 @@ url parameters:
 
 * `pw=hunter2` for password auth
   * if you enabled `--usernames` then do `pw=username:password` instead
+* `nopw` disables embedding the password (if provided) into item-URLs in the feed
+* `nopw=a` disables mentioning the password anywhere at all in the feed; may break some readers
 * `recursive` to also include subfolders
 * `title=foo` changes the feed title (default: folder name)
 * `fext=mp3,opus` only include mp3 and opus files (default: all)
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 1638f892..f5ede83c 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -1425,10 +1425,10 @@ class HttpCli(object):
 
         hits = idx.run_query(self.uname, [self.vn], uq, uv, False, False, nmax)[0]
 
-        pw = self.ouparam.get("pw")
-        if pw:
-            q_pw = "?pw=%s" % (html_escape(pw, True, True),)
-            a_pw = "&pw=%s" % (html_escape(pw, True, True),)
+        if "pw" in self.ouparam and "nopw" not in self.ouparam:
+            zs = self.ouparam["pw"]
+            q_pw = "?pw=%s" % (quotep(zs),)
+            a_pw = "&pw=%s" % (quotep(zs),)
             for i in hits:
                 i["rp"] += a_pw if "?" in i["rp"] else q_pw
         else:
@@ -1442,6 +1442,8 @@ class HttpCli(object):
             self.host,
         )
         feed = baseurl + self.req[1:]
+        if "pw" in self.ouparam and self.ouparam.get("nopw") == "a":
+            feed = re.sub(r"&pw=[^&]*", "", feed)
         if self.is_vproxied:
             baseurl += self.args.RS
         efeed = html_escape(feed, True, True)