diff --git a/README.rst b/README.rst
index cbe6c42..c8d0835 100644
--- a/README.rst
+++ b/README.rst
@@ -48,9 +48,10 @@ The class method ``HTTPSignatureAuth.verify()`` can be used to verify responses
           return 'monorail_cat'
 
   response = requests.get(url, auth=auth)
-  HTTPSignatureAuth.verify(response,
-                           signature_algorithm=algorithms.HMAC_SHA256,
-                           key_resolver=MyKeyResolver())
+  verify_result = HTTPSignatureAuth.verify(response,
+                                           signature_algorithm=algorithms.HMAC_SHA256,
+                                           key_resolver=MyKeyResolver())
+  # To avoid substitution attacks, only trust response data referenced by verify_result
 
 More generally, you can reconstruct an arbitrary request using the
 `Requests API <https://docs.python-requests.org/en/latest/api/#requests.Request>`_ and pass it to ``verify()``: