Add security considerations and best practices for processing XML and YAML, including examples and detailed mitigations against XXE and RCE vulnerabilities. Introduce new security documentation sections for serialization formats and updated threat model.

docs/README.md

@@ -123,6 +123,16 @@ For experienced users:
 - [Performance Optimization](advanced/performance-optimization.md)
 - [Extending the Framework](advanced/extending-framework.md)
 
+### Security
+
+Guidance for processing untrusted data safely:
+
+- [Security Overview](security/index.md) — Introduction to security considerations
+- [Threat Model](security/threat-model.md) — Attack vectors and trust boundaries
+- [Format Security](security/format-considerations/index.md) — Per-format security guidance
+- [Best Practices](security/best-practices.md) — Secure configuration patterns
+- [Secure Configuration Examples](security/secure-configuration-examples.md) — Ready-to-use examples
+
 ### Spring Boot Integration
 
 Seamlessly integrate Aether Datafixers into Spring Boot applications:

docs/codec/xml.md

@@ -338,6 +338,38 @@ DataResult<ServerConfig> result = ServerConfig.CODEC.decode(JacksonXmlOps.INSTAN
 ServerConfig config = result.getOrThrow();
 ```
 
+## Security Considerations
+
+> **WARNING:** XML processing is vulnerable to **XXE (XML External Entity)** attacks.
+> When processing untrusted XML, you **MUST** configure the `XmlMapper` to disable
+> external entity processing.
+
+**XXE attacks can:**
+- Read local files (`file:///etc/passwd`)
+- Perform Server-Side Request Forgery (SSRF)
+- Cause Denial of Service through entity expansion (Billion Laughs)
+
+**Secure configuration for untrusted XML:**
+
+```java
+XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
+
+XmlMapper secureMapper = XmlMapper.builder(
+    XmlFactory.builder()
+        .xmlInputFactory(xmlInputFactory)
+        .build()
+).build();
+
+JacksonXmlOps secureOps = new JacksonXmlOps(secureMapper);
+```
+
+For detailed security guidance and configuration examples, see [Jackson XML Security](../security/format-considerations/jackson.md#xxe-prevention).
+
+---
+
 ## Best Practices
 
 1. **Use Simple Structures** - Jackson XML works best with simple, well-structured XML

docs/codec/yaml.md

@@ -132,6 +132,32 @@ Yaml yaml = new Yaml(new SafeConstructor(loaderOptions));
 Object data = yaml.load(untrustedYaml);
 ```
 
+## Security Considerations
+
+> **WARNING:** When loading YAML from untrusted sources, you **MUST** use `SafeConstructor`
+> to prevent arbitrary code execution attacks. The default `Yaml()` constructor allows
+> instantiation of arbitrary Java classes, which can lead to **Remote Code Execution (RCE)**.
+
+**Critical security measures for untrusted YAML:**
+
+1. **Always use `SafeConstructor`** — Prevents arbitrary class instantiation
+2. **Limit alias expansion** — Set `maxAliasesForCollections` to prevent Billion Laughs attacks
+3. **Limit nesting depth** — Set `nestingDepthLimit` to prevent stack overflow
+4. **Limit input size** — Set `codePointLimit` to prevent memory exhaustion
+
+```java
+// Secure configuration for untrusted YAML
+LoaderOptions options = new LoaderOptions();
+options.setMaxAliasesForCollections(50);
+options.setNestingDepthLimit(50);
+options.setCodePointLimit(3 * 1024 * 1024);
+options.setAllowDuplicateKeys(false);
+
+Yaml safeYaml = new Yaml(new SafeConstructor(options));
+```
+
+For detailed security guidance, see [SnakeYAML Security](../security/format-considerations/snakeyaml.md).
+
 ### Data Types
 
 SnakeYamlOps works with native Java types: