diff --git a/signup.go b/signup.go
index 135fb61..85e743e 100644
--- a/signup.go
+++ b/signup.go
@@ -46,6 +46,16 @@ func writeToFile(filename string, a string) {
 }
 
 func handler2(w http.ResponseWriter, r *http.Request) {
+	// NOTE:
+	// NOTE: If you are having to enable 'CORS' then
+	// NOTE: something is really wrong with the design
+	// NOTE: and general architecture. Never allow this.
+	// NOTE: fix your design the right way.
+	// NOTE:
+	// 
+	// TODO: remove all ability to accept any CORS
+	//       on any WIT backend and infrastructre anything
+	// 
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 	w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS, PUT, DELETE")
 	w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")