diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
index b0ebf8dc9b..6962f79256 100644
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@@ -56,8 +56,9 @@ This is not bulletproof, but at the least, you should attempt the following:
 * Only display secure (https) content
 * Disable the Node integration in all renderers that display remote content
   (setting `nodeIntegration` to `false` in `webPreferences`)
-* Enable context isolation in all rendererers that display remote content
+* Enable context isolation in all renderers that display remote content
   (setting `contextIsolation` to `true` in `webPreferences`)
+* Use `ses.setPermissionRequestHandler()` in all sessions that load remote content
 * Do not disable `webSecurity`. Disabling it will disable the same-origin policy.
 * Define a [`Content-Security-Policy`](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
 , and use restrictive rules (i.e. `script-src 'self'`)