diff --git a/internal/server/config.go b/internal/server/config.go
index 27ce514..ce1773c 100644
--- a/internal/server/config.go
+++ b/internal/server/config.go
@@ -196,7 +196,11 @@ func DefaultConfig() *Config {
 			ReadTimeout:  "10s",
 			WriteTimeout: "30s",
 			IdleTimeout:  "60s",
-			MarketingURL: "http://localhost:5173",
+			// Intentionally empty — an unset MarketingURL makes marketing
+			// redirects 404 cleanly. The old localhost default leaked into
+			// production OAuth redirects when operators forgot to set the
+			// env var, sending real users to http://localhost:5173.
+			MarketingURL: "",
 			CookieDomain: "",
 			AllowedOrigins: []string{
 				"http://localhost:5173",
diff --git a/internal/server/config_test.go b/internal/server/config_test.go
index b3e4534..21acd25 100644
--- a/internal/server/config_test.go
+++ b/internal/server/config_test.go
@@ -48,6 +48,9 @@ func TestDefaultConfig(t *testing.T) {
 	if cfg.Email.FromAddress != "no-reply@example.com" {
 		t.Errorf("Email.FromAddress = %q, want %q", cfg.Email.FromAddress, "no-reply@example.com")
 	}
+	if cfg.Server.MarketingURL != "" {
+		t.Errorf("Server.MarketingURL default = %q, want empty string (no localhost leak in prod)", cfg.Server.MarketingURL)
+	}
 }
 
 // TestOverrideWithEnv_FillsEmptySecrets verifies env vars populate Config fields