diff --git a/src/documentation/content/xdocs/security.xml b/src/documentation/content/xdocs/security.xml
index 358390181e..f82065f977 100644
--- a/src/documentation/content/xdocs/security.xml
+++ b/src/documentation/content/xdocs/security.xml
@@ -86,28 +86,36 @@
and writing xlsx files - so if you are working with large xlsx files, you should consider using the
streaming APIs.
+ Use of Temp Files
+ Apache POI makes significant use of temporary files. You need to ensure that the directory used
+ for temp files cannot be manipulated or even read by untrusted users.
+
+ DefaultTempFileCreationStrategy is the default implementation but you can provide your own
+ strategy implementation. It is possible to configure POI to avoid temp file usage in some parts of
+ the code.
+
Consider sandboxing document-parsing
If you operate in a highly sensitive environment and would like to avoid any side effect from
parsing documents on your application, then consider extracting the parsing logic into a separate
process which is configured with appropriate memory settings and which you stop after some timeout.
It is a good idea to be able to auto-restart the process in case of a crash.
-
+
Keep up to date with releases
Apache POI does occasionally issue CVEs for security issues. There are also other bug fixes and
improvements in each release. Some of these fixes will be to make POI more robust against malicious
inputs, even if they are not explicitly security-related.
-
+
Monitor security advisories
Keep an eye on security advisories related to Apache POI. You can find them on the
POI website and they are shared on the
POI mailing lists as well as
the Apache Announce Mailing List.
-
+
OpenCVE is one of a
number of services that can help you monitor CVEs for specific products.
-
+