2 files changed, 12 insertions, 1 deletions

diff --git a/README.md b/README.md
index 115cd20..899a289 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ without having to touch the PHP code.
         * Whitelisting of [stream wrappers](https://secure.php.net/manual/en/intro.stream.php)
         * Preventing writeable files execution
         * Whitelist/blacklist for `eval`
+        * Enforcing TLS certificate validation when using [curl](https://secure.php.net/manual/en/book.curl.php)
         * Request dumping capability
 
 ## Download
diff --git a/doc/source/features.rst b/doc/source/features.rst
index dd35e2b..4f8edb9 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -439,9 +439,19 @@ Arbitrary file inclusion hardening
 """"""""""""""""""""""""""""""""""
 
 Arbitrary file inclusion is a common vulnerability, that might be detected
-by preventing the inclusion of anything that doens't match a strict set
+by preventing the inclusion of anything that doesn't match a strict set
 of file extensions in calls to ``include`` or ``require``.
 
+
+Enforcing certificate validation when using curl
+""""""""""""""""""""""""""""""""""""""""""""""""
+
+While it might be convenient to disable certificate validation on preproduction
+or during tests, it's `common <https://twitter.com/CiPHPerCoder/status/1056974646363516928>`__
+to see that people are disabling it on production too.
+We're detecting/preventing this by not allowing the ``CURLOPT_SSL_VERIFYPEER`` and
+``CURLOPT_SSL_VERIFYHOST`` options from being set to ``0``.
+
 *Cheap* SQL injections detection
 """"""""""""""""""""""""""""""""