diff --git a/src/docs/asciidoc/web/webflux.adoc b/src/docs/asciidoc/web/webflux.adoc
index 9235d08a425..6c88f730224 100644
--- a/src/docs/asciidoc/web/webflux.adoc
+++ b/src/docs/asciidoc/web/webflux.adoc
@@ -1,5 +1,6 @@
 [[webflux]]
 = Spring WebFlux
+:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference
 
 
 
@@ -2064,8 +2065,29 @@ include::webflux-functional.adoc[leveloffset=+1]
 
 
 
+include::webflux-cors.adoc[leveloffset=+1]
+
+
+
+
+[[webflux-web-security]]
+== Web Security
+[.small]#<<web.adoc#mvc-web-security,Same in Spring MVC>>#
+
+The http://projects.spring.io/spring-security/[Spring Security] project provides support
+for protecting web applications from malicious exploits. Check out the Spring Security
+reference documentation including:
+
+* {doc-spring-security}/html5/#jc-webflux[WebFlux Security]
+* {doc-spring-security}/html5/#test-webflux["WebFlux Testing Support"]
+* {doc-spring-security}/html5/#csrf[CSRF Protection]
+* {doc-spring-security}/html5/#headers[Security Response Headers]
+
+
+
+
 [[webflux-config]]
-== WebFlux Java Config
+== WebFlux Config
 [.small]#<<web.adoc#mvc-config,Same in Spring MVC>>#
 
 The WebFlux Java config declares components required to process requests with annotated
@@ -2453,7 +2475,6 @@ from the base class and you can still have any number of other ``WebMvcConfigure
 the classpath.
 
 
-include::webflux-cors.adoc[leveloffset=+1]
 
 
 [[webflux-http2]]
diff --git a/src/docs/asciidoc/web/webmvc.adoc b/src/docs/asciidoc/web/webmvc.adoc
index 322a939a7d3..8808c6b6b2a 100644
--- a/src/docs/asciidoc/web/webmvc.adoc
+++ b/src/docs/asciidoc/web/webmvc.adoc
@@ -3545,20 +3545,18 @@ include::webmvc-cors.adoc[leveloffset=+1]
 
 [[mvc-web-security]]
 == Web Security
+[.small]#<<web-reactive.adoc#webflux-web-security,Same in Spring WebFlux>>#
 
-The http://projects.spring.io/spring-security/[Spring Security] project provides features
-to protect web applications from malicious exploits. Check out the reference documentation in the sections on
-{doc-spring-security}/htmlsingle/#csrf["CSRF protection"],
-{doc-spring-security}/htmlsingle/#headers["Security Response Headers"], and also
-{doc-spring-security}/htmlsingle/#mvc["Spring MVC Integration"].
-Note that using Spring Security to secure the application is not necessarily required for all features.
-For example CSRF protection can be added simply by adding the `CsrfFilter` and
-`CsrfRequestDataValueProcessor` to your configuration. See the
-https://github.com/spring-projects/spring-mvc-showcase/commit/361adc124c05a8187b84f25e8a57550bb7d9f8e4[Spring MVC Showcase]
-for an example.
-
-Another option is to use a framework dedicated to Web Security.
-http://hdiv.org/[HDIV] is one such framework and integrates with Spring MVC.
+The http://projects.spring.io/spring-security/[Spring Security] project provides support
+for protecting web applications from malicious exploits. Check out the Spring Security
+reference documentation including:
+
+* {doc-spring-security}/html5/#mvc[Spring MVC Security]
+* {doc-spring-security}/html5/#test-mockmvc[Spring MVC Test Support]
+* {doc-spring-security}/html5/#csrf[CSRF protection]
+* {doc-spring-security}/html5/#headers[Security Response Headers]
+
+http://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC.