diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
index c3f98b6..bb2e2d7 100644
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -89,6 +89,12 @@ export class AuthController {
    * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
    */
   @All("*")
+  /**
+   * BetterAuth implements CSRF protection internally via Fetch Metadata headers
+   * (Sec-Fetch-Site, Sec-Fetch-Mode) and SameSite=Lax cookies. The @SkipCsrf()
+   * decorator skips the custom CSRF guard to avoid double-protection conflicts.
+   * Reference: https://www.better-auth.com/docs/reference/security
+   */
   @SkipCsrf()
   @Throttle({ strict: { limit: 10, ttl: 60000 } })
   async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
diff --git a/docker-compose.swarm.portainer.yml b/docker-compose.swarm.portainer.yml
index 7ad1e55..a544963 100644
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -293,7 +293,7 @@ services:
       OIDC_ISSUER: ${OIDC_ISSUER}
       OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
       OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
-      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-http://localhost:3001/auth/callback}
+      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-}
       JWT_SECRET: ${JWT_SECRET:-change-this-to-a-random-secret}
       JWT_EXPIRATION: ${JWT_EXPIRATION:-24h}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}