diff --git a/src/hooks.server.ts b/src/hooks.server.ts
new file mode 100644
index 0000000..4864314
--- /dev/null
+++ b/src/hooks.server.ts
@@ -0,0 +1,14 @@
+import type { Handle } from '@sveltejs/kit';
+
+export const handle: Handle = async ({ event, resolve }) => {
+	// Web Share Target POSTs arrive with a foreign Origin header (e.g. from
+	// youtube.com or the OS share sheet), which trips SvelteKit's CSRF guard.
+	// Dropping the header for this one route is safe — it is intentionally
+	// designed to receive cross-origin form submissions.
+	if (event.url.pathname === '/share' && event.request.method === 'POST') {
+		const headers = new Headers(event.request.headers);
+		headers.delete('origin');
+		event.request = new Request(event.request, { headers });
+	}
+	return resolve(event);
+};