diff --git a/next.config.mjs b/next.config.mjs
index 7566b4d1..16190507 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -9,18 +9,23 @@ const nextConfig = {
   },
   output: 'standalone',
   async headers() {
+    const isDev = process.env.NODE_ENV === "development";
     return [
       {
+        // Applied to all routes; API routes get no-op CSP but benefit from other headers
         source: "/(.*)",
         headers: [
           { key: "X-Content-Type-Options", value: "nosniff" },
-          { key: "X-Frame-Options", value: "DENY" },
+          // X-Frame-Options omitted: frame-ancestors in CSP supersedes it in all modern browsers
           { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
           {
             key: "Content-Security-Policy",
             value: [
               "default-src 'self'",
-              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",  // Next.js requires unsafe-inline/eval in dev
+              // unsafe-eval/unsafe-inline required only for Next.js HMR in development
+              isDev
+                ? "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+                : "script-src 'self' 'unsafe-inline'",
               "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
               "font-src 'self' https://fonts.gstatic.com",
               "img-src 'self' data: blob:",
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index facac821..78e55f6d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -89,6 +89,7 @@ function createOAuthProviders(): OAuthConfig<any>[] {
       authorization: config.oauth.authorizationUrl ?? undefined,
       token: config.oauth.tokenUrl ?? undefined,
       userinfo: config.oauth.userinfoUrl ?? undefined,
+      // PKCE is the default for OIDC; state is added as defence-in-depth
       checks: ["pkce", "state"],
       profile(profile) {
         return {