diff --git a/config-example.yaml b/config-example.yaml
index 9320439804..eb5a12a907 100644
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -369,6 +369,11 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - alice@example.com
 #
+#   # Optional: Enable PKCE (Proof Key for Code Exchange) support for enhanced security
+#   # and prevent CSRF attacks.
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   enable_pkce: false
+#
 #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
 #   # by taking the username from the legacy user and matching it with the username
 #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
diff --git a/docs/ref/oidc.md b/docs/ref/oidc.md
index 734184df83..3645de31f5 100644
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -45,6 +45,12 @@ oidc:
   allowed_users:
     - alice@example.com
 
+  # Optional: Enable PKCE (Proof Key for Code Exchange) support for enhanced security and prevent CSRF attacks
+  # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+  # by preventing authorization code interception attacks
+  # See https://datatracker.ietf.org/doc/html/rfc7636
+  enable_pkce: false
+
   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following