diff --git a/devdocs/todo.txt b/devdocs/todo.txt
index e4b41443..b9e32e07 100644
--- a/devdocs/todo.txt
+++ b/devdocs/todo.txt
@@ -53,6 +53,13 @@ todo: password protect rockfish docs  https://www.tecmint.com/password-protect-w
 	NOPE, above is all wrong it should be done through asp.net core not nginx, as that is what is serving the files:
 	https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-5.0#static-file-authorization
 
+	NOPE! asp.net core doesn't get a bearer token when a static file is requested so it can't be authenticated
+	this is looking like it should be put in it's own folder back to basic authentication again in nginx but keep it outside of the spa entirely
+	maybe just ayanova.com/rfdocs or something?
+
+	Or, maybe it can be not authorized at all but have .netcore check the referrir is rockfish itself and if not say unauthorized so it's a sneaky obscure security but not a problem maybe??
+	
+
 todo: add raven download folders to backup if not already, (maybe part of website backup?) confirm all the archival old files getting backed up this is critical
 
 PARALLEL work