diff --git a/website/source/docs/internals/security.html.md b/website/source/docs/internals/security.html.md
index f5a54d22c0..feadde151e 100644
--- a/website/source/docs/internals/security.html.md
+++ b/website/source/docs/internals/security.html.md
@@ -74,7 +74,7 @@ non-default options that potentially present additional security risks.
   be `false` otherwise, even with ACLs configured, script checks present a
   remote code execution threat.
   [`enable_local_script_checks`](/docs/agent/options.html#_enable_local_script_checks)
-  provides a secure alterative if the HTTP API must be exposed and is available
+  provides a secure alternative if the HTTP API must be exposed and is available
   from 1.3.0 on. This feature was also back-ported to patch releases 0.9.4,
   1.1.1, and 1.2.4 [as described here](https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations).
 
@@ -88,7 +88,7 @@ non-default options that potentially present additional security risks.
 * **Verify Server Hostname Used Alone.** From version 0.5.1 to 1.4.0 we documented that
   `verify_server_hostname` being `true` _implied_ `verify_outgoing` however due
   to a bug this was not the case so setting _only_ `verify_server_hostname`
-  results in plaintext communciation between client and server. See
+  results in plaintext communication between client and server. See
   [CVE-2018-19653](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19653)
   for more details. This is fixed in 1.4.1.