diff --git a/SECURITY.md b/SECURITY.md
index 15b66c7552..38d22373c6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -27,6 +27,8 @@ TorchServe as much as possible relies on automated tools to do security scanning
 3. Be sure to validate the authenticity of the `.mar` file being used with TorchServe.
     1. A `.mar` file being downloaded from the internet from an untrusted source may have malicious code, compromising the integrity of your application
     2. TorchServe executes arbitrary python code packaged in the `mar` file. Make sure that you've either audited that the code you're using is safe and/or is from a source that you trust
+4. By default TorchServe allows you to register models from all URLs. Make sure to set `allowed_urls` parameter in config.properties to restrict this. You can find more details in the [configuration guide](https://github.com/pytorch/serve/blob/master/docs/configuration.md#other-properties)
+    - `use_env_allowed_urls=true` is required in config.properties to read `allowed_urls` from environment variable