diff --git a/revel/skeleton/app/init.go b/revel/skeleton/app/init.go
index 0b9714f..b4e614f 100644
--- a/revel/skeleton/app/init.go
+++ b/revel/skeleton/app/init.go
@@ -38,9 +38,8 @@ func init() {
 }
 
 // HeaderFilter adds common security headers
-// TODO turn this into revel.HeaderFilter
-// should probably also have a filter for CSRF
-// not sure if it can go in the same filter or not
+// There is a full implementation of a CSRF filter in
+// https://github.com/revel/modules/tree/master/csrf
 var HeaderFilter = func(c *revel.Controller, fc []revel.Filter) {
 	c.Response.Out.Header().Add("X-Frame-Options", "SAMEORIGIN")
 	c.Response.Out.Header().Add("X-XSS-Protection", "1; mode=block")
diff --git a/revel/skeleton/conf/routes b/revel/skeleton/conf/routes
index 35e99fa..ba93d61 100644
--- a/revel/skeleton/conf/routes
+++ b/revel/skeleton/conf/routes
@@ -15,5 +15,12 @@ GET     /favicon.ico                            404
 # Map static resources from the /app/public folder to the /public path
 GET     /public/*filepath                       Static.Serve("public")
 
-# Catch all
-*       /:controller/:action                    :controller.:action
+# Catch all, this will route any request into the controller path
+#
+#                    **** WARNING ****
+# Enabling this exposes any controller and function to the web.
+# ** This is a serious security issue if used online **
+#
+# For rapid development uncomment the following to add new controller.action endpoints
+# without having to add them to the routes table.
+# *       /:controller/:action                    :controller.:action