diff --git a/app/models/session.rb b/app/models/session.rb
index ffeaad4c34f04f49351d35da8e2bcd27cfe8bb03..bfc22477df2618024727a5b4fab557e3d781fcf7 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -13,6 +13,7 @@ class Session < ApplicationRecord
   scope :future, -> { where(starts_at: Time.now..) }
 
   validates :ref_id, uniqueness: { scope: :conference_id }
+  # ref_id is used as part of a path, so make sure its safe
   validates :ref_id, format: { with: /\A[0-9a-fA-F-]+\z/, message: "only allows hexadecimal characters and minus" }
 
   after_update :notify_if_changed