diff --git a/public/js/blog.js b/public/js/blog.js
index ca82d788..ad3e830c 100644
--- a/public/js/blog.js
+++ b/public/js/blog.js
@@ -571,10 +571,17 @@ function setupNewsletterModal() {
       submitBtn.textContent = 'Subscribing...';
 
       try {
+        // Get CSRF token from cookie
+        const csrfToken = document.cookie
+          .split('; ')
+          .find(row => row.startsWith('csrf-token='))
+          ?.split('=')[1];
+
         const response = await fetch('/api/newsletter/subscribe', {
           method: 'POST',
           headers: {
-            'Content-Type': 'application/json'
+            'Content-Type': 'application/json',
+            'X-CSRF-Token': csrfToken || ''
           },
           body: JSON.stringify({
             email,
diff --git a/src/middleware/csrf-protection.middleware.js b/src/middleware/csrf-protection.middleware.js
index 4da885a1..2a9a9e12 100644
--- a/src/middleware/csrf-protection.middleware.js
+++ b/src/middleware/csrf-protection.middleware.js
@@ -79,7 +79,7 @@ function setCsrfToken(req, res, next) {
     const isSecure = req.secure || req.headers['x-forwarded-proto'] === 'https';
 
     res.cookie('csrf-token', token, {
-      httpOnly: true,
+      httpOnly: false,  // Must be false for double-submit pattern (client needs to read it)
       secure: isSecure && process.env.NODE_ENV === 'production',
       sameSite: 'strict',
       maxAge: 24 * 60 * 60 * 1000  // 24 hours