diff --git a/backend/src/main/java/com/storycove/config/SecurityConfig.java b/backend/src/main/java/com/storycove/config/SecurityConfig.java
index e7826a2..0365f01 100644
--- a/backend/src/main/java/com/storycove/config/SecurityConfig.java
+++ b/backend/src/main/java/com/storycove/config/SecurityConfig.java
@@ -7,7 +7,6 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -39,20 +38,6 @@ public class SecurityConfig {
             .cors(cors -> cors.configurationSource(corsConfigurationSource()))
             .csrf(AbstractHttpConfigurer::disable)
             .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-            .headers(headers -> headers
-                .frameOptions().deny()
-                .contentTypeOptions().and()
-                .contentSecurityPolicy("default-src 'self'; " +
-                    "script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
-                    "style-src 'self' 'unsafe-inline'; " +
-                    "img-src 'self' data: blob:; " +
-                    "font-src 'self'; " +
-                    "connect-src 'self'; " +
-                    "media-src 'self'; " +
-                    "object-src 'none'; " +
-                    "frame-src 'none'; " +
-                    "base-uri 'self'")
-            )
             .authorizeHttpRequests(authz -> authz
                 // Public endpoints
                 .requestMatchers("/api/auth/**").permitAll()
diff --git a/backend/src/main/java/com/storycove/util/JwtUtil.java b/backend/src/main/java/com/storycove/util/JwtUtil.java
index a8e3b08..c908671 100644
--- a/backend/src/main/java/com/storycove/util/JwtUtil.java
+++ b/backend/src/main/java/com/storycove/util/JwtUtil.java
@@ -1,10 +1,9 @@
 package com.storycove.util;
 
-import com.storycove.config.SecurityProperties;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.security.Keys;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
 import javax.crypto.SecretKey;
@@ -13,20 +12,19 @@ import java.util.Date;
 @Component
 public class JwtUtil {
     
-    private final SecurityProperties securityProperties;
+    @Value("${storycove.jwt.secret}")
+    private String secret;
     
-    @Autowired
-    public JwtUtil(SecurityProperties securityProperties) {
-        this.securityProperties = securityProperties;
-    }
+    @Value("${storycove.jwt.expiration:86400000}") // 24 hours default
+    private Long expiration;
     
     private SecretKey getSigningKey() {
-        return Keys.hmacShaKeyFor(securityProperties.getJwt().getSecret().getBytes());
+        return Keys.hmacShaKeyFor(secret.getBytes());
     }
     
     public String generateToken() {
         Date now = new Date();
-        Date expiryDate = new Date(now.getTime() + securityProperties.getJwt().getExpiration());
+        Date expiryDate = new Date(now.getTime() + expiration);
         
         return Jwts.builder()
                 .subject("user")