diff --git a/.env.example b/.env.example
index 8ecd860..9ca59fd 100644
--- a/.env.example
+++ b/.env.example
@@ -93,6 +93,14 @@ AUTHENTIK_COOKIE_DOMAIN=.localhost
 AUTHENTIK_PORT_HTTP=9000
 AUTHENTIK_PORT_HTTPS=9443
 
+# ======================
+# CSRF Protection
+# ======================
+# CRITICAL: Generate a random secret for CSRF token signing
+# Required in production; auto-generated in development (not persistent across restarts)
+# Command to generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+CSRF_SECRET=REPLACE_WITH_64_CHAR_HEX_STRING
+
 # ======================
 # JWT Configuration
 # ======================