diff --git a/frontend/lib/auth.ts b/frontend/lib/auth.ts
index c83ec152..751222e8 100644
--- a/frontend/lib/auth.ts
+++ b/frontend/lib/auth.ts
@@ -6,11 +6,12 @@ import { cookies } from 'next/headers';
 
 import { db } from '@/db';
 import { users } from '@/db/schema/users';
+import { readServerEnv } from '@/lib/env/server-env';
 
 const AUTH_COOKIE_NAME = 'auth_session';
 const AUTH_TOKEN_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
 
-const _AUTH_SECRET = process.env.AUTH_SECRET;
+const _AUTH_SECRET = readServerEnv('AUTH_SECRET');
 
 if (!_AUTH_SECRET) {
   throw new Error('AUTH_SECRET is not defined');
diff --git a/frontend/lib/security/csrf.ts b/frontend/lib/security/csrf.ts
index cfb6e481..6346d723 100644
--- a/frontend/lib/security/csrf.ts
+++ b/frontend/lib/security/csrf.ts
@@ -4,11 +4,13 @@ import crypto from 'node:crypto';
 
 import type { NextRequest } from 'next/server';
 
+import { readServerEnv } from '@/lib/env/server-env';
+
 export const CSRF_FORM_FIELD = 'csrfToken' as const;
 
 const DEFAULT_TTL_SECONDS = 60 * 60;
 function getSecret(): string {
-  const secret = process.env.CSRF_SECRET;
+  const secret = readServerEnv('CSRF_SECRET');
   if (!secret) throw new Error('Missing env var: CSRF_SECRET');
   return secret;
 }