diff --git a/backend/config/passportConfig.js b/backend/config/passportConfig.js
index 50db1f6..a6a0590 100644
--- a/backend/config/passportConfig.js
+++ b/backend/config/passportConfig.js
@@ -35,14 +35,14 @@ passport.serializeUser((user, done) => {
 });
 
 // Deserialize user (retrieve user from session)
+// .select('-password -__v') excludes the bcrypt hash from req.user so it
+// cannot be accidentally serialized into an API response.
+// .lean() returns a plain object instead of a Mongoose document, preventing
+// model methods from being accessible on req.user.
 passport.deserializeUser(async (id, done) => {
     try {
-        const user = await User.findById(id);
-        done(null, user ? {
-            id: user._id.toString(),
-            username: user.username,
-            email: user.email
-        } : null);
+        const user = await User.findById(id).select('-password -__v').lean();
+        done(null, user);
     } catch (err) {
         done(err, null);
     }