diff --git a/middleware/util.go b/middleware/util.go
index 0aa0420fc..4d2d172fc 100644
--- a/middleware/util.go
+++ b/middleware/util.go
@@ -74,6 +74,12 @@ func randomString(length uint8) string {
 	r := make([]byte, length+(length/4)) // perf: avoid read from rand.Reader many times
 	var i uint8 = 0
 
+	// security note:
+	// we can't just simply do b[i]=randomStringCharset[rb%len(randomStringCharset)],
+	// len(len(randomStringCharset)) is 52, and rb is [0, 255], 256 = 52 * 4 + 48.
+	// make the first 48 characters more possibly to be generated then others.
+	// So we have to skip bytes when rb > randomStringMaxByte
+
 	for {
 		_, err := io.ReadFull(reader, r)
 		if err != nil {