diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 012035dbd..16cf274fd 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -199,6 +199,9 @@ http {
       proxy_set_header Host file-monitor.malcolm.local;
     }
 
+    # extracted file download hedgehog redirect
+    # TODO: this is not very secure: we need to validate somehow
+    #   that we're not just redirecting to some bad place
     location ~* ^/hh-extracted-files/([a-zA-Z0-9-\.]+)\b(.*) {
       include /etc/nginx/nginx_auth_rt.conf;
       set $upstream $1:8006;