diff --git a/doc/security/comment_1_285da453a385bd4bd225e26377a47cd5._comment b/doc/security/comment_1_285da453a385bd4bd225e26377a47cd5._comment
new file mode 100644
index 0000000000..016012fd5b
--- /dev/null
+++ b/doc/security/comment_1_285da453a385bd4bd225e26377a47cd5._comment
@@ -0,0 +1,10 @@
+[[!comment format=mdwn
+ username="https://me.yahoo.com/a/iOGTltEpmOTQ.xZ99NFP5c7Zdcc-#6a7ba"
+ nickname="Ilya S"
+ avatar="http://cdn.libravatar.org/avatar/8a133555cc739a35b83b07d5724d28d9e2f7852c224e949eec6fd4fb7693331e"
+ subject="comment 1"
+ date="2018-09-07T21:08:24Z"
+ content="""
+It would be good if annex.security.allowed-http-addresses could add an exception not just for any 'localhost' access, but only for URLs matching a given regexp, e.g. only for
+http://localhost:808?/dnanexus/file-[a-f0-9]+
+"""]]