diff --git a/Doc/library/http.server.rst b/Doc/library/http.server.rst
index 9d5e5e3a75b197f7de6775ced7766153be237804..3bb7294ebb4a798d76569e2b4b223ec676dfbb27 100644
--- a/Doc/library/http.server.rst
+++ b/Doc/library/http.server.rst
@@ -20,7 +20,7 @@ This module defines classes for implementing HTTP servers.
 .. warning::
 
     :mod:`http.server` is not recommended for production. It only implements
-    basic security checks.
+    :ref:`basic security checks <http.server-security>`.
 
 One class, :class:`HTTPServer`, is a :class:`socketserver.TCPServer` subclass.
 It creates and listens at the HTTP socket, dispatching the requests to a
@@ -499,3 +499,14 @@ following command runs an HTTP/1.1 conformant server::
 the ``--cgi`` option::
 
         python -m http.server --cgi
+
+.. _http.server-security:
+
+Security Considerations
+-----------------------
+
+.. index:: pair: http.server; security
+
+:class:`SimpleHTTPRequestHandler` will follow symbolic links when handling
+requests, this makes it possible for files outside of the specified directory
+to be served.
diff --git a/Doc/library/security_warnings.rst b/Doc/library/security_warnings.rst
index f985dc4acd11c18f3da9af8391b671cf2762d767..284f36583206236e45fcabf055cf4b828e5c5e3e 100644
--- a/Doc/library/security_warnings.rst
+++ b/Doc/library/security_warnings.rst
@@ -14,7 +14,7 @@ The following modules have specific security considerations:
   argument disabling known insecure and blocked algorithms
   <hashlib-usedforsecurity>`
 * :mod:`http.server` is not suitable for production use, only implementing
-  basic security checks
+  basic security checks. See the :ref:`security considerations <http.server-security>`.
 * :mod:`logging`: :ref:`Logging configuration uses eval()
   <logging-eval-security>`
 * :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle