diff --git a/backend/middleware/csrf.js b/backend/middleware/csrf.js
index 0d788bd..53e3bcd 100644
--- a/backend/middleware/csrf.js
+++ b/backend/middleware/csrf.js
@@ -1,11 +1,24 @@
 const csrf = require("csrf");
 const cookieParser = require("cookie-parser");
+const logger = require("../utils/logger");
 
 // Initialize CSRF token generator
 const tokens = new csrf();
 
-// Generate a secret for signing tokens
-const secret = tokens.secretSync();
+// Use persistent secret from environment variable to prevent token invalidation on restart
+const secret = process.env.CSRF_SECRET;
+
+if (!secret) {
+  const errorMsg = "CSRF_SECRET environment variable is required.";
+  logger.error(errorMsg);
+  throw new Error(errorMsg);
+}
+
+if (secret.length < 32) {
+  const errorMsg = "CSRF_SECRET must be at least 32 characters for security";
+  logger.error(errorMsg);
+  throw new Error(errorMsg);
+}
 
 // CSRF middleware using double submit cookie pattern
 const csrfProtection = (req, res, next) => {