diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
index da29f4014559c..23ff50ea4b922 100644
--- a/enable-tls-between-components.md
+++ b/enable-tls-between-components.md
@@ -35,11 +35,11 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs for connection with cluster components.
+        # Path of the file that contains list of trusted SSL CAs for connection with cluster components.
         cluster-ssl-ca = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format for connection with cluster components.
+        # Path of the file that contains X509 certificate in PEM format for connection with cluster components.
         cluster-ssl-cert = "/path/to/tidb-server.pem"
-        # Path of file that contains X509 key in PEM format for connection with cluster components.
+        # Path of the file that contains X509 key in PEM format for connection with cluster components.
         cluster-ssl-key = "/path/to/tidb-server-key.pem"
         ```
 
@@ -49,9 +49,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # set the path for certificates. Empty string means disabling secure connections.
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca-path = "/path/to/ca.pem"
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/tikv-server.pem"
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/tikv-server-key.pem"
         ```
 
@@ -61,11 +64,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         cacert-path = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format.
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/pd-server.pem"
-        # Path of file that contains X509 key in PEM format.
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/pd-server-key.pem"
         ```
 
@@ -75,11 +79,12 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
          ```toml
         [security]
-        # Path of file that contains list of trusted SSL CAs. if set, following four settings shouldn't be empty
+        ## The path for certificates. An empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca_path = "/path/to/ca.pem"
-        # Path of file that contains X509 certificate in PEM format.
+        # Path of the file that contains X509 certificate in PEM format.
         cert_path = "/path/to/tiflash-server.pem"
-        # Path of file that contains X509 key in PEM format.
+        # Path of the file that contains X509 key in PEM format.
         key_path = "/path/to/tiflash-server-key.pem"
         ```
 
@@ -87,9 +92,11 @@ Currently, it is not supported to only enable encrypted transmission of some spe
 
         ```toml
         [security]
-        # Sets the path for certificates. The empty string means that secure connections are disabled.
+        # Path of the file that contains a list of trusted SSL CAs. If it is set, the following settings `cert_path` and `key_path` are also needed.
         ca-path = "/path/to/ca.pem"
+        # Path of the file that contains X509 certificate in PEM format.
         cert-path = "/path/to/tiflash-server.pem"
+        # Path of the file that contains X509 key in PEM format.
         key-path = "/path/to/tiflash-server-key.pem"
         ```
 
diff --git a/tiflash/tiflash-configuration.md b/tiflash/tiflash-configuration.md
index fecfcf6b1ac22..572eee429ba73 100644
--- a/tiflash/tiflash-configuration.md
+++ b/tiflash/tiflash-configuration.md
@@ -144,7 +144,23 @@ delta_index_cache_size = 0
 
     ## The memory usage limit for the generated intermediate data when all queries
     ## are executed. The default value is 0 (in bytes), which means no limit.
-    max_memory_usage_for_all_queries = 0 
+    max_memory_usage_for_all_queries = 0
+
+## Security settings take effect starting from v4.0.5.
+[security]
+    ## This configuration item enables or disables log redaction. If the configuration value
+    ## is set to `true`, all user data in the log will be replaced by `?`.
+    ## Note that you also need to set `security.redact-info-log` for tiflash-learner's logging
+    ## in tiflash-learner.toml
+    # redact_info_log = false
+
+    ## Path of the file that contains a list of trusted SSL CAs. If set, the following settings
+    ## `cert_path` and `key_path` are also needed.
+    # ca_path = "/path/to/ca.pem"
+    ## Path of the file that contains X509 certificate in PEM format.
+    # cert_path = "/path/to/tiflash-server.pem"
+    ## Path of the file that contains X509 key in PEM format.
+    # key_path = "/path/to/tiflash-server-key.pem"
 ```
 
 ### Configure the `tiflash-learner.toml` file