diff --git a/server/routes/auth.js b/server/routes/auth.js
index 1027d08..b7ca432 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -47,18 +47,23 @@ router.get('/config/:tenantId', async (req, res) => {
       });
     }
 
-    // Return public auth configuration (no secrets)
+    // Return MINIMAL public auth configuration (no internal settings exposed)
     const publicConfig = {
       provider: tenant.auth_provider,
       enabled: tenant.is_active,
       features: {
         local_login: tenant.auth_provider === 'local',
         sso_login: ['saml', 'oauth', 'ldap'].includes(tenant.auth_provider),
-        registration: tenant.auth_provider === 'local' && tenant.allow_registration
+        // Only show registration as enabled if ALL server-side checks would pass
+        registration: (
+          tenant.auth_provider === 'local' && 
+          tenant.is_active && 
+          tenant.allow_registration
+        )
       }
     };
 
-    // Add provider-specific public config
+    // Add provider-specific public config (URLs only - no secrets)
     if (tenant.auth_provider === 'saml') {
       publicConfig.saml = {
         login_url: `/auth/saml/${tenantId}/login`,
@@ -70,6 +75,9 @@ router.get('/config/:tenantId', async (req, res) => {
       };
     }
 
+    // Add security notice for developers
+    publicConfig._security_notice = "This config is for UI display only. All security validations occur server-side.";
+
     res.json({
       success: true,
       data: publicConfig