diff --git a/infra/caddy/Caddyfile b/infra/caddy/Caddyfile
index b3d1e971..3b47d4e6 100644
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -22,6 +22,10 @@
 		# XSS landing in a privileged origin: a payload cannot silently turn
 		# on the microphone or read geolocation.
 		Permissions-Policy "camera=(), microphone=(), geolocation=()"
+		# No Content-Security-Policy is set yet. When one is added, it MUST
+		# include `script-src 'wasm-unsafe-eval'` and `worker-src 'self' blob:`
+		# or the pdf.js WebAssembly image decoders (JBIG2/CCITTFax/JPEG2000)
+		# and worker will be blocked and scanned PDFs render blank. See #708.
 		-Server
 	}
 }