pingcap · dveeden · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/best-practices-for-security-configuration.md b/best-practices-for-security-configuration.md
@@ -20,6 +20,8 @@ To avoid this risk, it is recommended to set a root password during deployment:
 - For deployments using TiUP, refer to [Deploy TiDB Cluster Using TiUP](/production-deployment-using-tiup.md#step-7-start-a-tidb-cluster) to generate a random password for the root user.
 - For deployments using TiDB Operator, refer to [Set initial account and password](https://docs.pingcap.com/tidb-in-kubernetes/stable/initialize-a-cluster#set-initial-account-and-password) to set the root password.
 
+You can also use the [`--initialize-secure`](/command-line-flags-for-tidb-configuration.md#--initialize-secure) option to restrict network access for the initial root user.
+
 ## Enable password complexity checks
 
 By default, TiDB does not enforce password complexity policies, which might lead to the use of weak or empty passwords, increasing security risks.

diff --git a/command-line-flags-for-tidb-configuration.md b/command-line-flags-for-tidb-configuration.md
@@ -49,7 +49,7 @@ When you start the TiDB cluster, you can use command-line options or environment
 
 ## `--initialize-secure`
 
-- Bootstraps tidb-server in secure mode
+- Controls whether to create a `root` account using the `auth_socket` authentication method during tidb-server initialization. If it is set to `true`, when connecting to TiDB for the first time, you must use a socket connection, which provides stronger security.
 - Default: `false`
 
 ## `--initialize-sql-file`