diff --git a/server/TODO b/server/TODO
index 47c069f..6d2dfde 100644
--- a/server/TODO
+++ b/server/TODO
@@ -14,6 +14,9 @@
 
 ## OCaml server
 
+ - Make the webserver listen on a random URL to avoid cross-site scripting
+   attacks on localhost from malicious random internet webpages.
+
  - use lazy and Lazy.force where appropriate
 
  - Figure out how to avoid the overhead of Message.message_of_sexp