diff --git a/app/__init__.py b/app/__init__.py
index b797b93..afd7ece 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -37,9 +37,8 @@ def create_app():
     app.config["JWT_TOKEN_LOCATION"] = ["cookies"]
     app.config["JWT_COOKIE_SECURE"] = False  # Set to True in production
     app.config["JWT_COOKIE_CSRF_PROTECT"] = False
-    app.config["JWT_ACCESS_COOKIE_PATH"] = (
-        "/"  # Allow access to all paths including SocketIO
-    )
+    app.config["JWT_COOKIE_SAMESITE"] = "Lax"  # Allow cross-origin requests
+    app.config["JWT_ACCESS_COOKIE_PATH"] = "/api/"  # Restrict to API paths only
     app.config["JWT_REFRESH_COOKIE_PATH"] = "/api/auth/refresh"
 
     # Initialize CORS
@@ -56,6 +55,7 @@ def create_app():
         app,
         cors_allowed_origins="http://localhost:3000",
         cors_credentials=True,
+        path="/api/socket.io/",  # Use /api prefix for Socket.IO
     )
 
     # Initialize JWT manager