diff --git a/internal/middleware/cors.go b/internal/middleware/cors.go
index b0ebac9..daed6f2 100644
--- a/internal/middleware/cors.go
+++ b/internal/middleware/cors.go
@@ -6,29 +6,15 @@ import (
 	"github.com/rs/cors"
 )
 
-// CORSConfig defines the configuration options for CORS middleware
 type CORSConfig struct {
-	// AllowedOrigins defines the origins that are allowed to access the resource
-	AllowedOrigins []string
-
-	// AllowedMethods defines the HTTP methods that are allowed
-	AllowedMethods []string
-
-	// AllowedHeaders defines the headers that are allowed in requests
-	AllowedHeaders []string
-
-	// ExposedHeaders defines the headers that can be read by the browser
-	ExposedHeaders []string
-
-	// AllowCredentials defines whether cookies, HTTP authentication and client SSL
-	// certificates can be transmitted in cross-origin requests
+	AllowedOrigins   []string
+	AllowedMethods   []string
+	AllowedHeaders   []string
+	ExposedHeaders   []string
 	AllowCredentials bool
-
-	// MaxAge defines how long (in seconds) the results of a preflight request can be cached
-	MaxAge int
+	MaxAge           int
 }
 
-// DefaultCORSConfig returns a default configuration for CORS middleware
 func DefaultCORSConfig() CORSConfig {
 	return CORSConfig{
 		AllowedOrigins:   []string{},
diff --git a/internal/middleware/csrf.go b/internal/middleware/csrf.go
index fa91cce..81de5c6 100644
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -71,10 +71,6 @@ func CSRF(config CSRFConfig) Middleware {
 	if config.Cookie.Domain != "" {
 		options = append(options, csrf.Domain(config.Cookie.Domain))
 	}
-	
-	// Only check boolean fields if they've been explicitly set
-	// For cookie security settings, we only set them if they're being turned off
-	// since the secure defaults should be used otherwise
 	if !config.Cookie.Secure {
 		options = append(options, csrf.Secure(false))
 	}