diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go
index b8f96f6e..c46bd964 100644
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -700,7 +700,9 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		}
 		config.ProtocolName = protocol
 	}
-	if strings.EqualFold(c.Security, "tls") {
+	switch strings.ToLower(c.Security) {
+	case "", "none":
+	case "tls":
 		tlsSettings := c.TLSSettings
 		if tlsSettings == nil {
 			tlsSettings = &TLSConfig{}
@@ -712,8 +714,7 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
-	}
-	if strings.EqualFold(c.Security, "reality") {
+	case "reality":
 		if config.ProtocolName != "tcp" && config.ProtocolName != "http" && config.ProtocolName != "grpc" && config.ProtocolName != "domainsocket" {
 			return nil, newError("REALITY only supports TCP, H2, gRPC and DomainSocket for now.")
 		}
@@ -727,6 +728,10 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
+	case "xtls":
+		return nil, newError(`Please use VLESS flow "xtls-rprx-vision" with TLS or REALITY.`)
+	default:
+		return nil, newError(`Unknown security "` + c.Security + `".`)
 	}
 	if c.TCPSettings != nil {
 		ts, err := c.TCPSettings.Build()
diff --git a/infra/conf/vless.go b/infra/conf/vless.go
index 01a2090b..d829cdee 100644
--- a/infra/conf/vless.go
+++ b/infra/conf/vless.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"runtime"
 	"strconv"
-	"strings"
 	"syscall"
 
 	"github.com/golang/protobuf/proto"
@@ -53,15 +52,7 @@ func (c *VLessInboundConfig) Build() (proto.Message, error) {
 		}
 		account.Id = u.String()
 
-		accountFlow := account.Flow
-		flows := strings.Split(account.Flow, ",")
-		for _, f := range flows {
-			t := strings.TrimSpace(f)
-			if t != "none" {
-				accountFlow = t
-			}
-		}
-		switch accountFlow {
+		switch account.Flow {
 		case "", vless.XRV:
 		default:
 			return nil, newError(`VLESS clients: "flow" doesn't support "` + account.Flow + `" in this version`)
diff --git a/proxy/vless/inbound/inbound.go b/proxy/vless/inbound/inbound.go
index 642cc39f..b3def4bb 100644
--- a/proxy/vless/inbound/inbound.go
+++ b/proxy/vless/inbound/inbound.go
@@ -450,20 +450,10 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 	var rawConn syscall.RawConn
 	var input *bytes.Reader
 	var rawInput *bytes.Buffer
-	allowNoneFlow := false
-	accountFlow := account.Flow
-	flows := strings.Split(account.Flow, ",")
-	for _, f := range flows {
-		t := strings.TrimSpace(f)
-		if t == "none" {
-			allowNoneFlow = true
-		} else {
-			accountFlow = t
-		}
-	}
+
 	switch requestAddons.Flow {
 	case vless.XRV:
-		if accountFlow == requestAddons.Flow {
+		if account.Flow == requestAddons.Flow {
 			switch request.Command {
 			case protocol.RequestCommandMux:
 				return newError(requestAddons.Flow + " doesn't support Mux").AtWarning()
@@ -503,10 +493,9 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 		} else {
 			return newError(account.ID.String() + " is not able to use " + requestAddons.Flow).AtWarning()
 		}
-	case "", "none":
-		if accountFlow == vless.XRV && !allowNoneFlow && (request.Command == protocol.RequestCommandTCP || isMuxAndNotXUDP(request, first)) {
-			return newError(account.ID.String() + " is not able to use " + vless.XRV +
-				". Note the pure tls proxy has certain tls in tls characters. Append \",none\" in flow to suppress").AtWarning()
+	case "":
+		if account.Flow == vless.XRV && (request.Command == protocol.RequestCommandTCP || isMuxAndNotXUDP(request, first)) {
+			return newError(account.ID.String() + " is not able to use \"\". Note that the pure TLS proxy has certain TLS in TLS characters.").AtWarning()
 		}
 	default:
 		return newError("unknown request flow " + requestAddons.Flow).AtWarning()
@@ -557,7 +546,7 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 			// TODO enable splice
 			ctx = session.ContextWithInbound(ctx, nil)
 			err = encoding.XtlsRead(clientReader, serverWriter, timer, netConn, rawConn, input, rawInput, counter, ctx, account.ID.Bytes(),
-			&numberOfPacketToFilter, &enableXtls, &isTLS12orAbove, &isTLS, &cipher, &remainingServerHello)
+				&numberOfPacketToFilter, &enableXtls, &isTLS12orAbove, &isTLS, &cipher, &remainingServerHello)
 		} else {
 			// from clientReader.ReadMultiBuffer to serverWriter.WriteMultiBufer
 			err = buf.Copy(clientReader, serverWriter, buf.UpdateActivity(timer))