diff --git a/src/config.js b/src/config.js
index c41df9c..d2c6008 100644
--- a/src/config.js
+++ b/src/config.js
@@ -93,7 +93,14 @@ function loadConfig() {
 loadConfig();
 
 export function getPublicConfig() {
-    return { ...config };
+    // Create a deep copy and redact sensitive fields
+    const publicConfig = JSON.parse(JSON.stringify(config));
+
+    // Redact sensitive values
+    if (publicConfig.webuiPassword) publicConfig.webuiPassword = '********';
+    if (publicConfig.apiKey) publicConfig.apiKey = '********';
+
+    return publicConfig;
 }
 
 export function saveConfig(updates) {
diff --git a/src/webui/index.js b/src/webui/index.js
index a47daf9..06aa9a0 100644
--- a/src/webui/index.js
+++ b/src/webui/index.js
@@ -127,8 +127,9 @@ function createAuthMiddleware() {
 
         // Determine if this path should be protected
         const isApiRoute = req.path.startsWith('/api/');
-        const isException = req.path === '/api/auth/url' || req.path === '/api/config';
-        const isProtected = (isApiRoute && !isException) || req.path === '/account-limits' || req.path === '/health';
+        const isAuthUrl = req.path === '/api/auth/url';
+        const isConfigGet = req.path === '/api/config' && req.method === 'GET';
+        const isProtected = (isApiRoute && !isAuthUrl && !isConfigGet) || req.path === '/account-limits' || req.path === '/health';
 
         if (isProtected) {
             const providedPassword = req.headers['x-webui-password'] || req.query.password;