diff --git a/src/infrastructure/config/settings.py b/src/infrastructure/config/settings.py
index a3ae7d3..a1ceaa7 100644
--- a/src/infrastructure/config/settings.py
+++ b/src/infrastructure/config/settings.py
@@ -96,7 +96,7 @@ class Settings(BaseSettings):
     S3_SECRET_ACCESS_KEY: str = ''
     S3_ENDPOINT_URL: str = ''
     S3_PUBLIC_BASE_URL: str = ''
-    S3_REGRU_PUBLIC_WEBSITE_HOST: bool = True
+    S3_REGRU_PUBLIC_WEBSITE_HOST: bool = False
     S3_AVATAR_KEY_PREFIX: str = 'avatars'
 
     LOG_LEVEL: Literal['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'] = 'INFO'
@@ -116,7 +116,7 @@ class Settings(BaseSettings):
         object.__setattr__(self, 'S3_ENDPOINT_URL', '')
         object.__setattr__(self, 'S3_PUBLIC_BASE_URL', '')
         object.__setattr__(self, 'S3_REGION', 'us-east-1')
-        object.__setattr__(self, 'S3_REGRU_PUBLIC_WEBSITE_HOST', True)
+        object.__setattr__(self, 'S3_REGRU_PUBLIC_WEBSITE_HOST', False)
         object.__setattr__(self, 'S3_AVATAR_KEY_PREFIX', 'avatars')
 
     @staticmethod
diff --git a/src/presentation/routing/account_settings.py b/src/presentation/routing/account_settings.py
index 0cd690a..9b8bd00 100644
--- a/src/presentation/routing/account_settings.py
+++ b/src/presentation/routing/account_settings.py
@@ -3,7 +3,7 @@ from fastapi.responses import ORJSONResponse
 from starlette import status
 from src.application.commands import SetPhoneCommand, SetAvatarCommand
 from src.application.domain.dto import AuthContext
-from src.presentation.decorators import require_access_token
+from src.presentation.decorators import require_access_token, csrf_protect
 from src.presentation.dependencies import (
     get_set_avatar_command,
     get_set_phone_command,
@@ -46,6 +46,7 @@ _SET_AVATAR_ERROR_RESPONSES: dict[int, dict[str, object]] = {
 
 
 @account_settings_router.patch(path='/phone', response_class=ORJSONResponse, status_code=status.HTTP_200_OK)
+@csrf_protect()
 async def set_phone(
     request: Request,
     body: SetPhoneRequest,
@@ -70,6 +71,7 @@ async def set_phone(
     ),
     responses=_SET_AVATAR_ERROR_RESPONSES,
 )
+@csrf_protect()
 async def set_avatar(
     request: Request,
     body: SetAvatarRequest,