From cf7020ac53afa6ce147f3b8d905566f50bd5f6bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= <ulisesgascongonzalez@gmail.com>
Date: Mon, 23 Feb 2026 09:24:50 +0100
Subject: [PATCH] docs: add security considerations to the `root` option

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 350fccd..0c9cc17 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,14 @@ This can also be a string accepted by the
 
 Serve files relative to `path`.
 
+**Important:** The `root` option restricts the served path through string-level
+normalization only. It does not resolve symbolic links. If the served
+directory contains symlinks, they may resolve to files outside the root.
+
+Do not serve directories where untrusted users can create files or symlinks.
+If your application accepts file uploads or operates in a shared/multi-tenant
+environment, ensure the served directory is not writable by untrusted parties.
+
 ##### start
 
 Byte offset at which the stream starts, defaults to 0. The start is inclusive,