diff --git a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
index 54609315..65608e11 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SecurityConfig.java
@@ -35,7 +35,12 @@ public class SecurityConfig {
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
-                // CSRF für Entwicklung aus, damit wir Postman/REST Client nutzen können
+                // CSRF is intentionally disabled: every request from the SvelteKit frontend
+                // carries an explicit Authorization header (Basic Auth token injected by
+                // hooks.server.ts). Browsers block cross-origin requests from setting custom
+                // headers, so cross-site request forgery via a third-party page is not
+                // possible with this auth scheme. If the auth model ever changes to
+                // cookie-based sessions, CSRF protection must be re-enabled.
                 .csrf(csrf -> csrf.disable())
 
                 .authorizeHttpRequests(auth -> auth