diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index 60cc90692..9db15e93f 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -304,6 +304,10 @@ CSP_DEFAULT_SRC = allowed_sources
 # explicitly set
 CSP_FRAME_ANCESTORS = allowed_sources
 CSP_FORM_ACTION = allowed_sources
+
+# Google analytics requires that we relax our otherwise
+# strict CSP by allowing scripts to run from their domain
+# and inline with a nonce, as well as allowing connections back to their domain
 CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/"]
 CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"]
 CSP_INCLUDE_NONCE_IN = ["script-src-elem"]