diff --git a/src/config.cpp b/src/config.cpp
index 83e279d28a6..c45f55ba0db 100644
--- a/src/config.cpp
+++ b/src/config.cpp
@@ -1067,11 +1067,20 @@ namespace config {
     return opts;
   }
 
-  void apply_config(std::unordered_map<std::string, std::string> &&vars) {
+  void log_config_settings(const std::unordered_map<std::string, std::string> &vars, bool save) {
     for (auto &[name, val] : vars) {
-      BOOST_LOG(info) << "config: '"sv << name << "' = "sv << val;
-      modified_config_settings[name] = val;
+      bool is_redacted = std::ranges::find(config::redacted_config, name) != config::redacted_config.end();
+
+      BOOST_LOG(info) << "config: '"sv << name << "' = "sv << (is_redacted ? "[redacted]" : val);
+
+      if (save) {
+        modified_config_settings[name] = val;
+      }
     }
+  }
+
+  void apply_config(std::unordered_map<std::string, std::string> &&vars) {
+    log_config_settings(vars, true);
 
     int_f(vars, "qp", video.qp);
     int_between_f(vars, "hevc_mode", video.hevc_mode, {0, 3});
@@ -1205,12 +1214,19 @@ namespace config {
       "https://[::1]"
     };
 
-    // Append user-configured origins
-    sunshine.csrf_allowed_origins.insert(
-      sunshine.csrf_allowed_origins.end(),
-      user_csrf_origins.begin(),
-      user_csrf_origins.end()
-    );
+    // Validate and append user-configured origins
+    bool csrf_invalid_config = false;
+    for (const auto &origin : user_csrf_origins) {
+      if (origin.size() > 8 && origin.starts_with("https://")) {
+        sunshine.csrf_allowed_origins.push_back(origin);
+      } else {
+        csrf_invalid_config = true;
+        BOOST_LOG(warning) << "Invalid 'csrf_allowed_origins' entry rejected: "sv << origin;
+      }
+    }
+    if (csrf_invalid_config) {
+      BOOST_LOG(warning) << "Please refer to: https://docs.lizardbyte.dev/projects/sunshine/latest/md_docs_2configuration.html#csrf_allowed_origins"sv;
+    }
 
     int to = -1;
     int_between_f(vars, "ping_timeout", to, {-1, std::numeric_limits<int>::max()});
diff --git a/src/config.h b/src/config.h
index 44ade5a3685..eb778a3ac68 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,6 +19,13 @@ namespace config {
   // track modified config options
   inline std::unordered_map<std::string, std::string> modified_config_settings;
 
+  // sensitive values that should be redacted from logging
+  inline constexpr std::array redacted_config = {
+    "csrf_allowed_origins"
+  };
+
+  void log_config_settings(const std::unordered_map<std::string, std::string> &vars, bool save);
+
   struct video_t {
     // ffmpeg params
     int qp;  // higher == more compression and less quality
diff --git a/src/main.cpp b/src/main.cpp
index f1ded4a9c02..a31818ba874 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -179,9 +179,7 @@ int main(int argc, char *argv[]) {
   log_publisher_data();
 
   // Log modified_config_settings
-  for (auto &[name, val] : config::modified_config_settings) {
-    BOOST_LOG(info) << "config: '"sv << name << "' = "sv << val;
-  }
+  config::log_config_settings(config::modified_config_settings, false);
   config::modified_config_settings.clear();
 
   if (!config::sunshine.cmd.name.empty()) {