diff --git a/frontend/astro.config.mjs b/frontend/astro.config.mjs
index f6fe766..c96e206 100644
--- a/frontend/astro.config.mjs
+++ b/frontend/astro.config.mjs
@@ -9,6 +9,14 @@ import node from '@astrojs/node';
 export default defineConfig({
   output: 'server',
   integrations: [react()],
+  // Astro's CSRF Origin/Host check fires on form-encoded POSTs and compares
+  // protocols. Behind a TLS-terminating proxy (Traefik), Node sees http://
+  // locally while the browser sends Origin: https://, which falsely fails the
+  // check. SameSite=Strict on the auth cookie + server-side token validation
+  // handle CSRF instead.
+  security: {
+    checkOrigin: false,
+  },
   image: {
     service: { entrypoint: 'astro/assets/services/noop' }
   },