diff --git a/java/ql/src/semmle/code/java/security/RequestForgery.qll b/java/ql/src/semmle/code/java/security/RequestForgery.qll
index 1ff2a58b7a0..c57fb0b33cb 100644
--- a/java/ql/src/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/src/semmle/code/java/security/RequestForgery.qll
@@ -222,6 +222,10 @@ private class HostnameSanitizingPrefix extends CompileTimeConstantExpr {
   int offset;
 
   HostnameSanitizingPrefix() {
+    // Matches strings that look like when prepended to untrusted input, they will restrict
+    // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
+    // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
+    // the string "/".
     exists(
       this.getStringValue()
           .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)