diff --git a/tests/api/security.test.ts b/tests/api/security.test.ts
index d777353..0467488 100644
--- a/tests/api/security.test.ts
+++ b/tests/api/security.test.ts
@@ -51,11 +51,13 @@ test.describe('Security headers', () => {
 //   - anything else (e.g. evil.com): BLOCKED (403)
 
 test.describe('CORS enforcement — /api/supabase-config', () => {
-  test('Rejects requests with no Origin header', async () => {
-    // No Origin = not from a browser context — the server treats this as
-    // an unknown caller and returns 403 to prevent server-side exfiltration.
+  test('Allows requests with no Origin header (same-origin browser fetches)', async () => {
+    // Same-origin browser fetches (e.g. checkout page fetching supabase-config on
+    // the same domain) do not send an Origin header. The server must pass these
+    // through — blocking them would break the checkout flow on production.
+    // Server-side exfiltration is prevented by the evil-origin 403 below.
     const r = await get('/api/supabase-config');
-    expect(r.status).toBe(403);
+    expect(r.status).toBe(200);
   });
 
   test('Rejects evil origin', async () => {