diff --git a/documentation/security.html b/documentation/security.html
index ee813eee5e..fc658a822c 100755
--- a/documentation/security.html
+++ b/documentation/security.html
@@ -85,6 +85,54 @@ This will prevent direct access to your settings and make it seem totally the sa
Don't hesitate to hire an experienced administrator to do that,
it might be a bit more expensive now, but you'll be happy not to have to loose
all of your data to a hacker who attacked your site.
+ Only the following directories have required (or optional) write
+ permissions from the web server:
+
+ - app/cache/
+ - app/courses/
+ - app/home/
+ - app/logs/
+ - app/upload/
+ - main/default_course_document/images/
+ - main/lang/ (optional, only for sublanguages)
+ - web/css/ (optional, only for switching CSS through the web)
+
+
+ Because these directories have "write by the web server" permissions,
+ it is important to prevent the execution of PHP scripts from those
+ directories (because a specially-crafted attack could end up allowing
+ the upload of a PHP script to one of these). To do that, taking into
+ account we authorize overrides through .htaccess, we need to set
+ something that a .htaccess file cannot revert, and we need to set it
+ for each of those directories. This can be done as follows inside
+ your VirtualHost definition in Apache (you'll have to translate it for
+ Nginx configueations), where "/var/www/URL/" is the path of your VirtualHost web root:
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+
+ php_admin_value engine Off
+
+