[Docs] Update security doc (#642)

* update security doc * update security doc
apache · Jul 14, 2023 · f86b827 · f86b827
1 parent 441506e
commit f86b827
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -342,13 +342,14 @@ We are still improving our protocols, binary compatibility are not ensured betwe
 Binary compatibility will be ensured before fury 1.0.
 
 ## Security
-Static serialization such as row format are secure by nature. But dynamic object graph serialization supports  deserialize unregistered types, which can introduce security risks.
+Static serialization such as row format are secure by nature. But native java/python dynamic object graph serialization 
+supports deserialize unregistered types, which can introduce security risks.
 
 For example, the deserialization may invoke `init` constructor or `equals`/`hashCode` method, if the method body contains malicious code, the system will be at risks.
 
-Fury provides a secure mode option and enabled by default for this protocol, which allows deserializing trusted registered types or built-in types only for security.
+Fury provides a secure mode option and enabled by default for this protocol, which allows deserializing trusted registered types or built-in types only.
 
-If your environment is **indeed secure**, you can disable the secure mode, then the user types are not needed be registered ahead, and can be serialized automatically.
+You can take this option as a whitelist mechanism. **Do not disable it unless you can ensure your environment is indeed secure**.
 
 ## RoadMap
 - Meta compression, auto meta sharing and cross-language schema compatibility.

diff --git a/docs/user_guide.md b/docs/user_guide.md
@@ -553,8 +553,10 @@ byte[] bytes = fury.serialize(object);
 System.out.println(fury.deserialize(bytes));
 ```
 
-### Class Registration
-`FuryBuilder#requireClassRegistration`/`FuryBuilder#withSecureMode` can be used to disable class registration, this will allow to deserialize objects unknown types, more flexible but less secure. Do not disable class registration until you know what you are doing.
+### Security & Class Registration
+`FuryBuilder#requireClassRegistration`/`FuryBuilder#withSecureMode` can be used to disable class registration, this will allow to deserialize objects unknown types, more flexible but **less secure**.
+
+**Do not disable class registration unless you can ensure your environment is indeed secure**. Malicious code in `init/equals/hashCode` can be executed when deserializing unknown/untrusted types when this option disabled. 
 
 Class registration can not only reduce security risks, but also avoid classname serialization cost.