diff --git a/src/main.ts b/src/main.ts
index 96cd87aa..c190f84a 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -78,12 +78,32 @@ async function bootstrapWorker() {
       cookie: {
         maxAge: sessionConfig.cookieMaxAgeMs,
         httpOnly: true,
-        sameSite: 'lax',
-        secure: sessionConfig.secureCookies,
+        sameSite: 'strict',
+        secure: true,
       },
     }),
   );
 
+  // Session fixation protection: bind session to User-Agent
+  app.use((req: any, res: any, next: any) => {
+    if (!req.session) {
+      return next();
+    }
+
+    const userAgent = req.headers['user-agent'] || 'unknown';
+    if (!req.session.userAgent) {
+      req.session.userAgent = userAgent;
+    } else if (req.session.userAgent !== userAgent) {
+      return req.session.destroy((err: any) => {
+        if (err) {
+          logger.error('Error destroying session', err);
+        }
+        res.status(401).json({ message: 'Session invalidation due to fixation protection' });
+      });
+    }
+    next();
+  });
+
   // ─── Global Exception Filter ──────────────────────────────────────────────
   app.useGlobalFilters(new GlobalExceptionFilter());