diff --git a/shared/browser/app/csrf.py b/shared/browser/app/csrf.py
index bfd898d..136a8be 100644
--- a/shared/browser/app/csrf.py
+++ b/shared/browser/app/csrf.py
@@ -57,6 +57,11 @@ async def protect() -> None:
     if _is_exempt_endpoint():
         return
 
+    # Internal service-to-service calls are already gated by header checks
+    # and only reachable on the Docker overlay network.
+    if request.headers.get("X-Internal-Action") or request.headers.get("X-Internal-Data"):
+        return
+
     session_token = qsession.get("csrf_token")
     if not session_token:
         abort(400, "Missing CSRF session token")