diff --git a/05.md b/05.md
index 6c5fe6f..0de810b 100644
--- a/05.md
+++ b/05.md
@@ -71,3 +71,10 @@ Access-Control-Allow-Origin: *
 Users should ensure that their `/.well-known/nostr.json` is served with the HTTP header `Access-Control-Allow-Origin: *` to ensure it can be validated by pure JS apps running in modern browsers.
 
 [CORS]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
+
+### Security Constraints
+
+The `/.well-known/nostr.json` endpoint MUST NOT return any HTTP redirects. 
+
+Fetchers MUST ignore any HTTP redirects given by the `/.well-known/nostr.json` endpoint.
+