Despite the enormous theoretical and experimental progress made so far in quantum key distribution (QKD), the security of most existing QKD implementations is not rigorously established yet. A critical obstacle is that almost all existing security proofs make ideal assumptions on the QKD devices. Problematically, such assumptions are hard to satisfy in the experiments, and therefore it is not obvious how to apply such security proofs to practical QKD systems. Fortunately, any imperfections and security-loopholes in the measurement devices can be perfectly closed by measurement-device-independent QKD (MDI-QKD), and thus we only need to consider how to secure the source devices. Among imperfections in the source devices, correlations between the sending pulses are one of the principal problems. In this paper, we consider a setting-choice-independent correlation (SCIC) framework in which the sending pulses can present arbitrary correlations but they are independent of the previous setting choices such as the bit, the basis and the intensity settings. Within the framework of SCIC, we consider the dominant fluctuations of the sending states, such as the relative phases and the intensities, and provide a self-contained information theoretic security proof for the loss-tolerant QKD protocol in the finite-key regime. We demonstrate the feasibility of secure quantum communication within a reasonable number of pulses sent, and thus we are convinced that our work constitutes a crucial step toward guaranteeing implementation security of QKD.