diff --git a/lib/env.js b/lib/env.js
index b3ed7cf35..389f059f6 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -89,6 +89,10 @@ module.exports.create = function (config) {
             }
         },
 
+/*  FIXME restrictRegistration is initialized as false and then overridden by admin decree
+    There is a narrow window in which someone could register before the server updates this value.
+    See also the cached 'restrictRegistration' value in server.js#serveConfig
+*/
         restrictRegistration: false,
         allowSubscriptions: config.allowSubscriptions === true,
         blockDailyCheck: config.blockDailyCheck === true,
diff --git a/server.js b/server.js
index 978070b01..3a71f83b8 100644
--- a/server.js
+++ b/server.js
@@ -105,7 +105,6 @@ var setHeaders = (function () {
     }
     if (Object.keys(headers).length) {
         return function (req, res) {
-
             // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
             applyHeaderMap(res, {
                 "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
@@ -280,7 +279,7 @@ var serveConfig = makeRouteCache(function (host) {
             defaultStorageLimit: Env.defaultStorageLimit,
             maxUploadSize: Env.maxUploadSize,
             premiumUploadSize: Env.premiumUploadSize,
-            restrictRegistration: Env.restrictRegistration,
+            restrictRegistration: Env.restrictRegistration, // FIXME see the race condition in env.js
         }, null, '\t'),
         'obj.httpSafeOrigin = ' + (function () {
             if (config.httpSafeOrigin) { return '"' + config.httpSafeOrigin + '"'; }