diff --git a/src/middleware/user.js b/src/middleware/user.js
index 903195ebd9..556a919821 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -34,6 +34,7 @@ module.exports = function (middleware) {
 		const loginAsync = util.promisify(req.login).bind(req);
 
 		if (req.loggedIn) {
+			// If authenticated via cookie (express-session), protect routes with CSRF checking
 			if (res.locals.isAPI) {
 				await middleware.applyCSRFasync(req, res);
 			}