diff --git a/Dockerfile b/Dockerfile
index 3c1882c..5df482e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,8 +16,9 @@ ENV QUARKUS_HTTP_HOST=0.0.0.0
ENV UNIONFLOW_BACKEND_URL=https://lions.dev/unionflow
# Configuration Keycloak OIDC
+# IMPORTANT: Les secrets doivent être injectés via Kubernetes Secrets au runtime
ENV KEYCLOAK_AUTH_SERVER_URL=https://security.lions.dev/realms/unionflow
-ENV KEYCLOAK_CLIENT_SECRET=unionflow-client-secret-2025
+# ENV KEYCLOAK_CLIENT_SECRET will be injected via Kubernetes Secret
# Créer l'utilisateur appuser
RUN addgroup -g 185 appuser && adduser -D -u 185 -G appuser appuser
diff --git a/pom.xml b/pom.xml
index 4f7b628..308b2a9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -214,6 +214,14 @@
17
UTF-8
true
+
+
+
+ org.projectlombok
+ lombok
+ ${lombok.version}
+
+
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 11b4808..520a82a 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -74,7 +74,9 @@ quarkus.oidc.authentication.redirect-path=/auth/callback
quarkus.oidc.authentication.restore-path-after-redirect=true
quarkus.oidc.authentication.scopes=openid,profile,email,roles
quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow
-quarkus.oidc.tls.verification=none
+# SÉCURITÉ: TLS verification DOIT être 'required' par défaut
+# Seulement 'none' en développement local (voir application-dev.properties)
+quarkus.oidc.tls.verification=required
# quarkus.oidc.authentication.force-redirect-https=false # Not supported in this Quarkus version
quarkus.oidc.authentication.cookie-same-site=lax
quarkus.oidc.authentication.java-script-auto-redirect=false