diff --git a/src/hooks.server.ts b/src/hooks.server.ts
deleted file mode 100644
index 4864314..0000000
--- a/src/hooks.server.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import type { Handle } from '@sveltejs/kit';
-
-export const handle: Handle = async ({ event, resolve }) => {
-	// Web Share Target POSTs arrive with a foreign Origin header (e.g. from
-	// youtube.com or the OS share sheet), which trips SvelteKit's CSRF guard.
-	// Dropping the header for this one route is safe — it is intentionally
-	// designed to receive cross-origin form submissions.
-	if (event.url.pathname === '/share' && event.request.method === 'POST') {
-		const headers = new Headers(event.request.headers);
-		headers.delete('origin');
-		event.request = new Request(event.request, { headers });
-	}
-	return resolve(event);
-};
diff --git a/svelte.config.js b/svelte.config.js
index 9e98ce3..9409ebb 100644
--- a/svelte.config.js
+++ b/svelte.config.js
@@ -6,7 +6,10 @@ const config = {
 		runes: ({ filename }) => (filename.split(/[/\\]/).includes('node_modules') ? undefined : true)
 	},
 	kit: {
-		adapter: adapter({ out: 'build' })
+		adapter: adapter({ out: 'build' }),
+		// CSRF origin check disabled: this app uses no cookie-based session auth,
+		// and the Web Share Target POST legitimately arrives from external origins.
+		csrf: { checkOrigin: false }
 	}
 };