diff --git a/shared/authentication/src/auth.definition.ts b/shared/authentication/src/auth.definition.ts
index 11f555c..591f558 100644
--- a/shared/authentication/src/auth.definition.ts
+++ b/shared/authentication/src/auth.definition.ts
@@ -87,7 +87,7 @@ export const auth: Auth = betterAuth({
   // Subdomain-friendly cookie setting (recommended over cross-site cookies)
   advanced: {
     defaultCookieAttributes: {
-      sameSite: 'none',
+      sameSite: (process.env.COOKIE_SAME_SITE as 'lax' | 'strict' | 'none') || 'lax',
       secure: true,
     },
   },
diff --git a/tests/unit/authentication/cookie-config.test.ts b/tests/unit/authentication/cookie-config.test.ts
new file mode 100644
index 0000000..542e5b4
--- /dev/null
+++ b/tests/unit/authentication/cookie-config.test.ts
@@ -0,0 +1,22 @@
+import * as fs from 'fs';
+import * as path from 'path';
+
+describe('auth.definition.ts cookie configuration', () => {
+  const authDefPath = path.resolve(__dirname, '../../../shared/authentication/src/auth.definition.ts');
+  let source: string;
+
+  beforeAll(() => {
+    source = fs.readFileSync(authDefPath, 'utf-8');
+  });
+
+  it('should not use sameSite: none (weakens CSRF protection)', () => {
+    const hardcodedNone = /sameSite:\s*['"]none['"]/;
+    expect(source).not.toMatch(hardcodedNone);
+
+    expect(source).toMatch(/sameSite:/);
+  });
+
+  it('should set secure: true on cookies', () => {
+    expect(source).toMatch(/secure:\s*true/);
+  });
+});