diff --git a/server.js b/server.js
index 0ae1109..ed4b006 100644
--- a/server.js
+++ b/server.js
@@ -126,7 +126,10 @@ function decryptCookie(ciphertext){
     return JSON.parse(deciphered);
 }
 
-// broadcast isn't user specific right now... 
+// accept websocket connections.  currently are parsing the userid from the path to 
+// map the connections to only notify on changes from the same user.
+// this simple mapping of holding all connections in memory here won't really scale beyond 
+// one server instance - but that's not really the use case for tinypin.
 app.ws('/ws/:uid', (ws, req) => {
     ws.on("message", (msg) => {
         //console.log("received messsage: " + msg);
diff --git a/static/ws.js b/static/ws.js
index a385f86..8d9b381 100644
--- a/static/ws.js
+++ b/static/ws.js
@@ -1,6 +1,11 @@
 // decorate on web socket functions.  if web sockets fail to work, the app should keep working anyway.
 // if you want to permanently disable websockets, just remove the src include 
 
+// the websocket is ONLY used to broadcast refresh notifications, no interesting data is passed
+// across the wire.  this is done because it can be harder to support certain security and proxy
+// modes for different browsers, particularly client ssl certifacts are not passed by safari.
+//
+// by not passing any interesting data, it's reasonably safe to let the websocket remain open
 window.socketConnected = false;
 window.socket = null;