diff --git a/content/server-server-api.md b/content/server-server-api.md
index e1b57c962..6051ed0f8 100644
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@@ -1228,7 +1228,6 @@ of `M_FORBIDDEN`.
 
 The following endpoint prefixes MUST be protected:
 
--   `/_matrix/federation/v1/send` (on a per-PDU basis)
 -   `/_matrix/federation/v1/make_join`
 -   `/_matrix/federation/v1/make_leave`
 -   `/_matrix/federation/v1/send_join`
@@ -1245,6 +1244,22 @@ The following endpoint prefixes MUST be protected:
 -   `/_matrix/federation/v1/event_auth`
 -   `/_matrix/federation/v1/get_missing_events`
 
+Additionally the [`/_matrix/federation/v1/send/{txnId}`](#put_matrixfederationv1sendtxnid)
+endpoint MUST be protected as follows:
+
+-   ACLs MUST be applied on a per-PDU basis. If the `origin` server is
+    denied access to the room identified by `room_id`, the PDU MUST be
+    ignored with an appropriate error included in the response for the
+    respective event ID.
+-   ACLs MUST be applied on a per-EDU basis to all EDUs that are local
+    to a specific room. This includes:
+
+    -   [Typing notifications (m.typing)](#typing-notifications)
+    -   [Receipts (m.receipt)](#receipts)
+
+    If the `origin` server is denied access to the room identified by
+    `room_id`, the EDU MUST be ignored.
+
 ## Signing Events
 
 Signing events is complicated by the fact that servers can choose to