pytorch · agunapal · Oct 10, 2023 · Oct 9, 2023 · Oct 10, 2023 · Oct 10, 2023
diff --git a/SECURITY.md b/SECURITY.md
@@ -27,6 +27,8 @@ TorchServe as much as possible relies on automated tools to do security scanning
 3. Be sure to validate the authenticity of the `.mar` file being used with TorchServe.
     1. A `.mar` file being downloaded from the internet from an untrusted source may have malicious code, compromising the integrity of your application
     2. TorchServe executes arbitrary python code packaged in the `mar` file. Make sure that you've either audited that the code you're using is safe and/or is from a source that you trust
+4. By default TorchServe allows you to register models from all URLs. Make sure to set `allowed_urls` parameter in config.properties to restrict this. You can find more details in the [configuration guide](https://github.com/pytorch/serve/blob/master/docs/configuration.md#other-properties)
+    - `use_env_allowed_urls=true` is required in config.properties to read `allowed_urls` from environment variable