diff --git a/web/src/index.js b/web/src/index.js
index bf4064b..d7c4039 100644
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -103,6 +103,10 @@ app.use((req, res, next) => {
   // Some clients omit Origin; allow Referer as fallback.
   if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
 
+  // In non-production MVP/dev environments, be permissive if headers are missing.
+  // (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
+  if (!isProd && !origin && !referer) return next();
+
   return res.status(403).send('Blocked (CSRF)');
 });