Merge pull request #215 from apache/WW-5339-ognl-map
WW-5339 Document new OGNL security options
diff --git a/source/security/index.md b/source/security/index.md
index 4cd785f..50f6b95 100644
--- a/source/security/index.md
+++ b/source/security/index.md
@@ -315,8 +315,6 @@
The defaults are defined [here](https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml).
-Additionally, static methods are blocked, and static fields can also be blocked with 'struts.allowStaticFieldAccess'.
-
Any expression or target which does not pass this criteria will be blocked, and you will see a warning in the logs:
```
@@ -329,6 +327,15 @@
It is possible to redefine the above constants in `struts.xml`, but avoid reducing the list, instead extending the list
with other known dangerous classes or packages in your application.
+#### Additional Options
+
+We additionally recommend enabling the following options and hope to enable them by default in a future major version.
+
+ * `struts.ognl.allowStaticFieldAccess=false` - static methods are always blocked, but static fields can also optionally be blocked
+ * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from being used in OGNL expressions as they may present a security risk
+ * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in the default package which should not be used in production
+ * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom OGNL maps which can be used to bypass the SecurityMemberAccess policy
+
#### Allowlist Capability
> Note: since Struts 6.4.
