diff --git a/src/infrastructure/config/settings.py b/src/infrastructure/config/settings.py
index 43847e3..f373edd 100644
--- a/src/infrastructure/config/settings.py
+++ b/src/infrastructure/config/settings.py
@@ -100,17 +100,29 @@ class Settings(BaseSettings):
 
     @field_validator('CSRF_COOKIE_DOMAIN', mode='before')
     @classmethod
-    def empty_csrf_domain_to_none(cls, v):
+    def normalize_csrf_cookie_domain(cls, v):
         if v is None or (isinstance(v, str) and not v.strip()):
-            return None
-        return v
+            return '.elcsa.ru'
+        s = str(v).strip()
+        sl = s.lower()
+        if sl in ('.elcsa.ru', 'elcsa.ru'):
+            return '.elcsa.ru'
+        if sl.endswith('.elcsa.ru') and not sl.startswith('.'):
+            return '.elcsa.ru'
+        return s
 
     @field_validator('AUTH_COOKIE_DOMAIN', mode='before')
     @classmethod
-    def empty_auth_domain_to_none(cls, v):
+    def normalize_auth_cookie_domain(cls, v):
         if v is None or (isinstance(v, str) and not v.strip()):
-            return None
-        return v
+            return '.elcsa.ru'
+        s = str(v).strip()
+        sl = s.lower()
+        if sl in ('.elcsa.ru', 'elcsa.ru'):
+            return '.elcsa.ru'
+        if sl.endswith('.elcsa.ru') and not sl.startswith('.'):
+            return '.elcsa.ru'
+        return s
 
     @field_validator('REDIS_PASSWORD', mode='before')
     @classmethod
diff --git a/src/presentation/routing/csrf.py b/src/presentation/routing/csrf.py
index ad5a822..1e146d2 100644
--- a/src/presentation/routing/csrf.py
+++ b/src/presentation/routing/csrf.py
@@ -30,7 +30,7 @@ async def issue_csrf_token(request: Request):
         httponly=settings.CSRF_COOKIE_HTTPONLY,
         samesite=settings.CSRF_COOKIE_SAMESITE,
         path=settings.CSRF_COOKIE_PATH,
-        domain=settings.CSRF_COOKIE_DOMAIN,
+        domain=settings.CSRF_COOKIE_DOMAIN or '.elcsa.ru',
         max_age=csrf.ttl_seconds,
     )