diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 47bea88c9a5..f70ec1d5976 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -169,8 +169,7 @@ content.data.ofbiz.file.allowed.paths=applications/,themes/,plugins/,runtime/
 # -- Allowed directories for the LOCAL_FILE / LOCAL_FILE_BIN data resource types (absolute paths).
 # -- Comma-separated, no spaces after commas. Use ${ofbiz.home} as a portable placeholder.
 # -- Only files whose resolved canonical path starts with one of these entries will be served.
-# -- Set to empty to disable this check (NOT recommended).
-content.data.local.file.allowed.paths=${ofbiz.home}
+content.data.local.file.allowed.paths=${ofbiz.home}/runtime/tmp/
 
 # -- Allowed hosts for the URL_RESOURCE data resource type (comma-separated host names or host:port values).
 # -- Both exact matches and subdomain matches are supported: "example.com" also permits "cdn.example.com".