From b803d7c7238a5dd3deda692c3ac850f79a8ff58b Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Mon, 15 Jun 2026 08:05:09 +0000
Subject: [PATCH] * SECURITY.md: Tweak wording around delegated configs.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935333 13f79535-47bb-0310-9956-ffa450edef68
---
 SECURITY.md | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 8d2c84da5a..24bf4e3f2c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -103,15 +103,21 @@ CVE-2012-0031.
 ## Delegated Configuration 
 
 Server configuration can be delegated to trusted local site authors by
-allowing use of .htaccess files in non-default configurations.  Local
-site authors are trusted to not attack the server with malformed or
-malicious .htaccess files (for example, files of excessive size).
+allowing use of .htaccess files in some configurations (see
+https://httpd.apache.org/docs/2.4/howto/htaccess.html).  Site authors
+gain a significant degree of control over, and access to, the server
+at run-time:
 
-In configurations supporting in-process scripting language interpreters
-which are not sandboxed, such as `mod_lua` or `mod_php`, local site
-authors have equivalent privileges to the less-privileged server user.
+* site authors are trusted to not attack the server with malformed or
+  malicious .htaccess files (for example, files of excessive size).
+
+* site authors gain access to some data (such as files or the
+  environment) which is otherwise restricted.
 
-(### TODO something about AllowOverride)
+In configurations supporting in-process scripting language interpreters
+which are not sandboxed, such as `mod_lua` or `mod_php`,
+site authors have exactly equivalent privileges to the user which the
+server runs as.
 
 ## Dependent Services
 
-- 
2.47.3