diff --git a/lib/Controller/RawResponse.php b/lib/Controller/RawResponse.php
index e7b10e7..99ebdfa 100644
--- a/lib/Controller/RawResponse.php
+++ b/lib/Controller/RawResponse.php
@@ -13,8 +13,9 @@ trait RawResponse {
 		$content = $fileNode->getContent();
 		$mimetype = $fileNode->getMimeType();
 
-		// Ugly hack to prevent security middleware messing up the CSP.
-		header(
+		// Ugly hack to have exact control over the response, to e.g. prevent security middleware
+		// messing up the CSP. TODO find a neater solution than bluntly doing header() + echo + exit.
+		header( // Add a super strict CSP: no connectivity allowed.
 			"Content-Security-Policy: sandbox; default-src 'none'; img-src data:; media-src data:; "
 			. "style-src data: 'unsafe-inline'; font-src data:; frame-src data:"
 		);