diff --git a/src/matrix/hs-api.js b/src/matrix/hs-api.js
index e54b66f6..07e9babc 100644
--- a/src/matrix/hs-api.js
+++ b/src/matrix/hs-api.js
@@ -21,7 +21,9 @@ class RequestWrapper {
 
 export default class HomeServerApi {
 	constructor(homeserver, accessToken) {
-		this._homeserver = homeserver;
+        // store these both in a closure somehow so it's harder to get at in case of XSS?
+        // one could change the homeserver as well so the token gets sent there, so both must be protected from read/write
+        this._homeserver = homeserver;
 		this._accessToken = accessToken;
 	}