diff --git a/src/WebModules.cpp b/src/WebModules.cpp
index 2170d515..b7065886 100644
--- a/src/WebModules.cpp
+++ b/src/WebModules.cpp
@@ -647,14 +647,15 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
         return PAGE_DONE;
     }
 
-    // Check that they really POSTed from one our forms by checking if they
+    // For pages *not provided* by modules, a CSRF check is performed which involves:
+    // Ensure that they really POSTed from one our forms by checking if they
     // know the "secret" CSRF check value. Don't do this for login since
     // CSRF against the login form makes no sense and the login form does a
     // cookies-enabled check which would break otherwise.
     // Don't do this, if user authenticated using http-basic auth, because:
     // 1. they obviously know the password,
     // 2. it's easier to automate some tasks e.g. user creation, without need to
-    // care about cookies and csrf
+    //    care about cookies and CSRF
     if (IsPost() && !m_bBasicAuth && !sURI.StartsWith("/mods/") &&
         !ValidateCSRFCheck(sURI)) {
         DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());
@@ -804,6 +805,7 @@ CWebSock::EPageReqResult CWebSock::OnPageRequestInternal(const CString& sURI,
         if (!pModule) return PAGE_NOTFOUND;
 
         // Pass CSRF check to module.
+        // Note that the normal CSRF checks are not applied to /mods/ URLs.
         if (IsPost() && !m_bBasicAuth &&
             !pModule->ValidateWebRequestCSRFCheck(*this, m_sPage)) {
             DEBUG("Expected _CSRF_Check: " << GetCSRFCheck());