diff --git a/app/lib/App/Core/AccessControl.php b/app/lib/App/Core/AccessControl.php
index b286dec..ca45321 100644
--- a/app/lib/App/Core/AccessControl.php
+++ b/app/lib/App/Core/AccessControl.php
@@ -19,11 +19,18 @@ class AccessControl
     {
         $this->app = $app;
 
+        /**
+         * WARNING WARNING WARNING:
+         * 
+         * Never use an asterisk without putting anything before it like this "*".
+         * An attacker could leverage this by putting a forward slash behind a
+         * protected page like this "protected-page.php/pwned!" to gain access.
+         */
         $this->acl = [
             // routes that need power level 1 and up
             [
                 "routes" => [
-                    "race/simulator.php",
+                    "race/simulator.php*",
                     "race/configure/*"
                 ],
                 "catcher" => [