diff --git a/KEYCLOAK_VERIFICATION.md b/KEYCLOAK_VERIFICATION.md
new file mode 100644
index 0000000..454a701
--- /dev/null
+++ b/KEYCLOAK_VERIFICATION.md
@@ -0,0 +1,121 @@
+# Vérification Configuration Keycloak - UnionFlow
+
+**Date:** 2025-12-21
+**Realm:** unionflow
+**Client ID:** unionflow-client
+
+---
+
+## À Vérifier dans la Console Admin Keycloak
+
+### 1. Accéder à la Configuration du Client
+
+1. Se connecter à https://security.lions.dev
+2. Sélectionner le realm **unionflow**
+3. Aller dans **Clients** → **unionflow-client**
+
+### 2. Vérifier les Redirect URIs
+
+Dans l'onglet **Settings**, vérifier que **Valid Redirect URIs** contient:
+
+```
+https://unionflow.lions.dev/auth/callback
+```
+
+Si absent, l'ajouter et cliquer sur **Save**.
+
+### 3. Vérifier les Paramètres OIDC
+
+Dans l'onglet **Settings**, s'assurer que:
+
+- **Client Protocol:** openid-connect
+- **Access Type:** confidential
+- **Standard Flow Enabled:** ON
+- **Direct Access Grants Enabled:** ON (optionnel)
+- **Valid Redirect URIs:** `https://unionflow.lions.dev/auth/callback`
+- **Web Origins:** `https://unionflow.lions.dev`
+
+### 4. Vérifier le Client Secret
+
+Dans l'onglet **Credentials**:
+- Noter le **Secret** (doit correspondre à `KEYCLOAK_CLIENT_SECRET` dans l'environnement)
+
+---
+
+## Configuration Application Corrigée
+
+### application-prod.properties
+
+```properties
+# Configuration Keycloak OIDC - Production
+quarkus.oidc.enabled=true
+quarkus.oidc.auth-server-url=https://security.lions.dev/realms/unionflow
+quarkus.oidc.client-id=unionflow-client
+quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
+quarkus.oidc.application-type=web-app
+
+# ✅ CORRECTION: Callback path explicite
+quarkus.oidc.authentication.redirect-path=/auth/callback
+
+# ✅ CORRECTION: Redirection après login réussie
+quarkus.oidc.authentication.redirect-path-after-login=/pages/secure/dashboard.xhtml
+
+quarkus.oidc.authentication.restore-path-after-redirect=true
+quarkus.oidc.authentication.force-redirect-https-scheme=true
+```
+
+---
+
+## Flux OAuth Attendu
+
+1. **Accès initial:** `https://unionflow.lions.dev`
+   - Affiche landing page (index.xhtml)
+   - Bouton "Accéder" → `/pages/secure/dashboard.xhtml`
+
+2. **Redirection Keycloak:** Utilisateur non authentifié
+   - Redirect vers `https://security.lions.dev/realms/unionflow/protocol/openid-connect/auth`
+
+3. **Authentification:** Login Keycloak
+   - Utilisateur entre credentials
+
+4. **Callback OAuth:** Keycloak renvoie vers application
+   - `https://unionflow.lions.dev/auth/callback?state=...&code=...`
+
+5. **Redirection finale:** Application traite le callback
+   - Redirect automatique vers `/pages/secure/dashboard.xhtml` ✅
+
+---
+
+## Commandes de Diagnostic
+
+### Vérifier la configuration OIDC
+
+```bash
+curl -s https://security.lions.dev/realms/unionflow/.well-known/openid-configuration | jq .
+```
+
+### Vérifier l'accessibilité de l'application
+
+```bash
+curl -I https://unionflow.lions.dev
+curl -I https://unionflow.lions.dev/auth/callback
+curl -I https://unionflow.lions.dev/pages/secure/dashboard.xhtml
+```
+
+---
+
+## Checklist Déploiement
+
+- [x] OAuth redirect-path configuré: `/auth/callback`
+- [x] OAuth redirect-path-after-login configuré: `/pages/secure/dashboard.xhtml`
+- [x] Landing page (index.xhtml) existe et est magnifique
+- [x] web.xml configure index.xhtml comme welcome-file
+- [ ] **Keycloak Valid Redirect URIs contient:** `https://unionflow.lions.dev/auth/callback`
+- [ ] Committer les changements
+- [ ] Déployer en production
+- [ ] Tester le flux OAuth complet
+
+---
+
+**Dernière modification:** 2025-12-21
+**Auteur:** Claude Code
diff --git a/src/main/resources/application-prod.properties b/src/main/resources/application-prod.properties
index 217cc2c..53adb10 100644
--- a/src/main/resources/application-prod.properties
+++ b/src/main/resources/application-prod.properties
@@ -9,6 +9,42 @@ quarkus.http.so-reuse-port=true
 quarkus.http.tcp-quick-ack=true
 quarkus.http.tcp-cork=true
 
+# ===================================================================================================
+# Headers de Sécurité HTTP - PRODUCTION
+# ===================================================================================================
+# Prévention du MIME sniffing
+quarkus.http.header."X-Content-Type-Options".value=nosniff
+quarkus.http.header."X-Content-Type-Options".methods=GET,POST,PUT,DELETE,PATCH
+
+# Protection contre le clickjacking
+quarkus.http.header."X-Frame-Options".value=DENY
+quarkus.http.header."X-Frame-Options".methods=GET,POST,PUT,DELETE,PATCH
+
+# HSTS - Force HTTPS pour 1 an
+quarkus.http.header."Strict-Transport-Security".value=max-age=31536000; includeSubDomains; preload
+quarkus.http.header."Strict-Transport-Security".methods=GET,POST,PUT,DELETE,PATCH
+
+# Content Security Policy
+# Permet 'unsafe-inline' pour PrimeFaces/JSF qui génèrent des scripts inline
+quarkus.http.header."Content-Security-Policy".value=default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'
+quarkus.http.header."Content-Security-Policy".methods=GET,POST,PUT,DELETE,PATCH
+
+# Protection XSS (legacy, mais utile pour anciens navigateurs)
+quarkus.http.header."X-XSS-Protection".value=1; mode=block
+quarkus.http.header."X-XSS-Protection".methods=GET,POST,PUT,DELETE,PATCH
+
+# Politique de référents
+quarkus.http.header."Referrer-Policy".value=strict-origin-when-cross-origin
+quarkus.http.header."Referrer-Policy".methods=GET,POST,PUT,DELETE,PATCH
+
+# Permissions Policy (anciennement Feature-Policy)
+quarkus.http.header."Permissions-Policy".value=geolocation=(), microphone=(), camera=()
+quarkus.http.header."Permissions-Policy".methods=GET,POST,PUT,DELETE,PATCH
+
+# Compression HTTP pour améliorer les performances
+quarkus.http.enable-compression=true
+quarkus.http.compression-level=6
+
 # Configuration Session HTTP - Production
 quarkus.http.session-timeout=60m
 quarkus.http.session-cookie-same-site=strict
@@ -59,7 +95,7 @@ unionflow.backend.url=${UNIONFLOW_BACKEND_URL:https://api.lions.dev/unionflow}
 quarkus.rest-client."unionflow-api".url=${unionflow.backend.url}
 quarkus.rest-client."unionflow-api".scope=jakarta.inject.Singleton
 quarkus.rest-client."unionflow-api".connect-timeout=5000
-quarkus.rest-client."unionflow-api".read-timeout=30000
+quarkus.rest-client."unionflow-api".read-timeout=15000
 quarkus.rest-client."unionflow-api".providers=dev.lions.unionflow.client.service.RestClientExceptionMapper,dev.lions.unionflow.client.security.JwtClientRequestFilter
 
 # Configuration Keycloak OIDC - Production
@@ -68,10 +104,13 @@ quarkus.oidc.auth-server-url=${KEYCLOAK_AUTH_SERVER_URL:https://security.lions.d
 quarkus.oidc.client-id=unionflow-client
 quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
 quarkus.oidc.application-type=web-app
-# Use default Quarkus OIDC callback path: /q/oidc/code-flow/callback
+# Callback path - must match Keycloak Valid Redirect URIs configuration
+quarkus.oidc.authentication.redirect-path=/auth/callback
 # quarkus.oidc.authentication.redirect-path is NOT set - let Quarkus use its default
 quarkus.oidc.authentication.force-redirect-https-scheme=true
 quarkus.oidc.authentication.restore-path-after-redirect=true
+# Default landing page after successful login
+quarkus.oidc.authentication.redirect-path-after-login=/pages/secure/dashboard.xhtml
 quarkus.oidc.authentication.scopes=openid,profile,email,roles
 quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow
 quarkus.oidc.tls.verification=required