diff --git a/app/config.py b/app/config.py
index 32b615a..57cb153 100644
--- a/app/config.py
+++ b/app/config.py
@@ -39,9 +39,10 @@ class Settings(BaseSettings):
     # in prod seteaza persistent ca si creds_key, altfel cookieurile se invalideaza
     # la restart). Genereaza: python -c "import secrets; print(secrets.token_hex(32))"
     session_secret: str | None = None
-    # True (prod): rutele web fara sesiune -> redirect /login. False (dev): fara
-    # sesiune -> cont implicit id=1, back-compat (C12/§5 Q5).
-    web_auth_required: bool = False
+    # True (IMPLICIT, sigur pentru prod): rutele web fara sesiune -> redirect /login;
+    # CSRF enforce. Pentru dev rapid pe contul implicit id=1 (back-compat C12/§5 Q5),
+    # seteaza explicit AUTOPASS_WEB_AUTH_REQUIRED=false.
+    web_auth_required: bool = True
     # True (prod, in spatele Cloudflare Tunnel TLS): cookie cu Secure flag (C4).
     # False (dev): cookie fara Secure, functioneaza pe HTTP.
     session_https_only: bool = False
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index 7c88f71..f9a69e6 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -15,6 +15,9 @@ from fastapi.testclient import TestClient
 def client(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
 
     get_settings.cache_clear()
diff --git a/tests/test_import_ui.py b/tests/test_import_ui.py
index 64cec10..5fa051a 100644
--- a/tests/test_import_ui.py
+++ b/tests/test_import_ui.py
@@ -26,6 +26,9 @@ import pytest
 def client(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
 
     get_settings.cache_clear()
diff --git a/tests/test_import_web_scope.py b/tests/test_import_web_scope.py
index 37a295f..f4f1d4c 100644
--- a/tests/test_import_web_scope.py
+++ b/tests/test_import_web_scope.py
@@ -46,6 +46,9 @@ def _csrf_from(html: str) -> str:
 def env(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "scope.db"))
+    # Scoping testat prin monkeypatch require_login pe acct_a/acct_b; rulam in mod
+    # dev (CSRF skip fara sesiune) — auth web e default ON in prod, testat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
     get_settings.cache_clear()
     from app.main import app
diff --git a/tests/test_web_session.py b/tests/test_web_session.py
index 42a96c7..ba79f76 100644
--- a/tests/test_web_session.py
+++ b/tests/test_web_session.py
@@ -147,3 +147,15 @@ def test_ruta_protejata_cu_sesiune_trece(client_auth):
     resp = client_auth.get("/protected")
     assert resp.status_code == 200
     assert resp.json()["account_id"] == 5
+
+
+def test_web_auth_required_default_true(monkeypatch):
+    """Default-ul de productie: auth web e ON daca AUTOPASS_WEB_AUTH_REQUIRED nu e setat.
+
+    Dev rapid pe cont 1 = opt-out explicit (AUTOPASS_WEB_AUTH_REQUIRED=false).
+    """
+    monkeypatch.delenv("AUTOPASS_WEB_AUTH_REQUIRED", raising=False)
+    from app.config import Settings, get_settings
+    get_settings.cache_clear()
+    assert Settings().web_auth_required is True
+    get_settings.cache_clear()