diff --git a/web/src/index.js b/web/src/index.js
index d7c4039..95123cc 100644
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -85,6 +85,11 @@ app.use(express.json());
 // Basic CSRF mitigation: require same-origin POSTs
 app.use((req, res, next) => {
   if (req.method !== 'POST') return next();
+
+  // MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
+  // can omit/alter Origin/Referer and cause false blocks). Enforce in production.
+  if (!isProd) return next();
+
   // Allow OAuth callbacks (they are GET in our app anyway) and health checks
   const origin = req.get('origin');
   const referer = req.get('referer');