diff --git a/src/lib/security/csrf.ts b/src/lib/security/csrf.ts
index 5818b78..1694a23 100644
--- a/src/lib/security/csrf.ts
+++ b/src/lib/security/csrf.ts
@@ -120,7 +120,8 @@ export function validateCsrf(req: NextRequest): {
 } {
   // 0. CI/Test-Modus: CSRF-Schutz deaktivieren wenn CI=true
   // Dies gilt für GitHub Actions E2E-Tests, wo CSRF-Token-Handling nicht praktikabel ist
-  if (process.env.CI === 'true') {
+  // BYPASS_CSRF='false' kann gesetzt werden um CSRF in CI zu aktivieren (für Security-Tests)
+  if (process.env.CI === 'true' && process.env.BYPASS_CSRF !== 'false') {
     return { valid: true }
   }
 
diff --git a/tests/int/security-api.int.spec.ts b/tests/int/security-api.int.spec.ts
index f9af58b..46e47c1 100644
--- a/tests/int/security-api.int.spec.ts
+++ b/tests/int/security-api.int.spec.ts
@@ -8,8 +8,8 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
 import { NextRequest, NextResponse } from 'next/server'
 
-// Clear CI environment variable to ensure CSRF validation works normally during tests
-vi.stubEnv('CI', '')
+// Enable CSRF validation in CI by setting BYPASS_CSRF=false
+vi.stubEnv('BYPASS_CSRF', 'false')
 import {
   generateTestCsrfToken,
   generateExpiredCsrfToken,