diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index aaee7d8..3017ab0 100644
|
a
|
b
|
User-uploaded content
|
| 236 | 236 | you can take to mitigate these attacks: |
| 237 | 237 | |
| 238 | 238 | 1. One class of attacks can be prevented by always serving user uploaded |
| 239 | | content from a distinct Top Level Domain (TLD). This prevents any |
| 240 | | exploit blocked by `same-origin policy`_ protections such as cross site |
| 241 | | scripting. For example, if your site runs on ``example.com``, you would |
| 242 | | want to serve uploaded content (the :setting:`MEDIA_URL` setting) from |
| 243 | | something like ``usercontent-example.com``. It's *not* sufficient to |
| 244 | | serve content from a subdomain like ``usercontent.example.com``. |
| | 239 | content from a distinct top-level or second-level domain. This prevents |
| | 240 | any exploit blocked by `same-origin policy`_ protections such as cross |
| | 241 | site scripting. For example, if your site runs on ``example.com``, you |
| | 242 | would want to serve uploaded content (the :setting:`MEDIA_URL` setting) |
| | 243 | from something like ``usercontent-example.com`` or ``example.net``. |
| | 244 | It's *not* sufficient to serve content from a subdomain like |
| | 245 | ``usercontent.example.com``. |
| 245 | 246 | |
| 246 | 247 | 2. Beyond this, applications may choose to define a whitelist of allowable |
| 247 | 248 | file extensions for user uploaded files and configure the web server |