docs: add security considerations to the root option

UlisesGascon · web-flow · commit cf7020ac53af · 2026-02-23T09:24:50.000+01:00
diff --git a/README.md b/README.md
@@ -111,6 +111,14 @@ This can also be a string accepted by the
 
 Serve files relative to `path`.
 
+**Important:** The `root` option restricts the served path through string-level
+normalization only. It does not resolve symbolic links. If the served
+directory contains symlinks, they may resolve to files outside the root.
+
+Do not serve directories where untrusted users can create files or symlinks.
+If your application accepts file uploads or operates in a shared/multi-tenant
+environment, ensure the served directory is not writable by untrusted parties.
+
 ##### start
 
 Byte offset at which the stream starts, defaults to 0. The start is inclusive,
