diff --git a/services/nginx.nix b/services/nginx.nix
index 2c7c559..98e64c6 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -96,10 +96,13 @@ in
         "sonarr.nordhammer.it"   = protectedProxy 8989;
         "radarr.nordhammer.it"   = protectedProxy 7878;
         "prowlarr.nordhammer.it" = protectedProxy 9696;
-        # qBit trips its own session auth on any SID cookie the browser
-        # has cached; strip cookies so localhost-bypass always wins.
+        # qBit's CSRF check rejects any request whose Referer origin differs
+        # from the Host — after Authelia's redirect the Referer is
+        # auth.nordhammer.it, which trips the check. Strip it so qBit skips.
+        # Cookie stripped too so cached SID cookies don't fight localhost-bypass.
         "torrent.nordhammer.it"  = lib.recursiveUpdate (protectedProxy 8080) {
           locations."/".extraConfig = autheliaAuthConfig + ''
+            proxy_set_header Referer "";
             proxy_set_header Cookie "";
             proxy_hide_header Set-Cookie;
           '';
diff --git a/services/qbittorrent-nox.nix b/services/qbittorrent-nox.nix
index 006f8e0..f15db75 100644
--- a/services/qbittorrent-nox.nix
+++ b/services/qbittorrent-nox.nix
@@ -20,13 +20,10 @@
 		};
 		
 		systemd.tmpfiles.rules = [
-			# qbittorrent app data
+			# qbittorrent app data — Z recursively enforces ownership/perms on boot
+			# (self-heals UID/GID drift from migrations etc.)
 			"d /var/lib/qbittorrent 0755 qbittorrent media -"
-			"d /var/lib/qbittorrent/.config 0755 qbittorrent media -"
-			"d /var/lib/qbittorrent/.config/qBittorrent 0755 qbittorrent media -"
-			"d /var/lib/qbittorrent/.local 0755 qbittorrent media -"
-			"d /var/lib/qbittorrent/.local/share 0755 qbittorrent media -"
-			"d /var/lib/qbittorrent/.local/share/qBittorrent 0755 qbittorrent media -"
+			"Z /var/lib/qbittorrent 0755 qbittorrent media -"
 
 			# Storage - qbittorrent downloads here
 			"d /mnt/storage/torrents/downloads 2775 qbittorrent media -"