diff --git a/server-cli/src/web/ui/api.rs b/server-cli/src/web/ui/api.rs
index 0e6949e5c7..845fa783a4 100644
--- a/server-cli/src/web/ui/api.rs
+++ b/server-cli/src/web/ui/api.rs
@@ -64,6 +64,8 @@ async fn log_users<B>(
     Ok(next.run(req).await)
 }
 
+//TODO: do security audit before we extend this api with more security relevant
+// functionality (e.g. account management)
 pub fn router(web_ui_request_s: UiRequestSender, secret_token: String) -> Router {
     let token = UiApiToken { secret_token };
     let ip_addrs = IpAddresses::default();
diff --git a/server-cli/src/web/ui/mod.rs b/server-cli/src/web/ui/mod.rs
index 3117968c3e..7ce1a066f7 100644
--- a/server-cli/src/web/ui/mod.rs
+++ b/server-cli/src/web/ui/mod.rs
@@ -67,6 +67,8 @@ Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
 
     let cookie = format!("X-Secret-Token={}; SameSite=Strict", token.secret_token);
 
+    //Note: at this point we give a user our secret for the Api, this is only
+    // intended for local users, protect this route against the whole internet
     response.headers_mut().insert(
         SET_COOKIE,
         HeaderValue::from_str(&cookie).expect("An invalid secret-token for ui was provided"),