diff --git a/payload.config.ts b/payload.config.ts
index 891ce8c..524951d 100644
--- a/payload.config.ts
+++ b/payload.config.ts
@@ -9,9 +9,15 @@ import { Testimonials } from './payload/collections/Testimonials'
 import { FAQ } from './payload/collections/FAQ'
 import { Media } from './payload/collections/Media'
 
+const serverURL = process.env.NEXT_PUBLIC_SERVER_URL || ''
+
 export default buildConfig({
   secret: process.env.PAYLOAD_SECRET || 'change-moi',
-  serverURL: process.env.NEXT_PUBLIC_SERVER_URL || '',
+  serverURL,
+  // csrf: Payload auto-populates from serverURL when non-empty.
+  // When serverURL is empty, csrf stays [] → all origins accepted (dev-safe).
+  // cors: Allow the public origin to call the REST API from the browser.
+  cors: serverURL ? [serverURL] : '*',
   editor: lexicalEditor(),
   routes: {
     admin: '/gestion59',
diff --git a/payload/collections/Users.ts b/payload/collections/Users.ts
index 244e5a7..c5d5a0c 100644
--- a/payload/collections/Users.ts
+++ b/payload/collections/Users.ts
@@ -4,6 +4,10 @@ export const Users: CollectionConfig = {
   slug: 'users',
   auth: {
     maxLoginAttempts: 0,
+    cookies: {
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'Lax',
+    },
   },
   admin: {
     useAsTitle: 'email',