From 4caecd1928f68e9df515c4dff54ede08325a7e30 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@element.io>
Date: Thu, 25 Jul 2024 10:13:26 +0100
Subject: [PATCH] Additional notes on security considerations

---
 proposals/4140-delayed-events-futures.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/proposals/4140-delayed-events-futures.md b/proposals/4140-delayed-events-futures.md
index 26939f3fb..baabec9f7 100644
--- a/proposals/4140-delayed-events-futures.md
+++ b/proposals/4140-delayed-events-futures.md
@@ -585,8 +585,13 @@ The following alternative names for this concept are considered
 
 ## Security considerations
 
+All new endpoints are authenticated.
+
 Servers SHOULD impose a maximum timeout value for future timeouts of not more than a month.
 
+As described [above](#power-levels-are-evaluated-at-the-point-of-sending), the homeserver MUST evaluate and enforce the
+power levels at the time of the delayed event being sent (i.e. added to the DAG).
+
 ## Unstable prefix
 
 Whilst the MSC is in the proposal stage, the following should be used: