diff --git a/.changeset/fresh-pandas-drive.md b/.changeset/fresh-pandas-drive.md
new file mode 100644
index 000000000000..5240ecb9328e
--- /dev/null
+++ b/.changeset/fresh-pandas-drive.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes a type and an example in documenting the `security.checkOrigin` property of Astro config.
diff --git a/packages/astro/src/types/public/config.ts b/packages/astro/src/types/public/config.ts
index d83872cce558..257f1ffc10d3 100644
--- a/packages/astro/src/types/public/config.ts
+++ b/packages/astro/src/types/public/config.ts
@@ -442,8 +442,8 @@ export interface AstroUserConfig {
 	/**
 	 * @docs
 	 * @name security
-	 * @type {boolean}
-	 * @default `{}`
+	 * @type {Record<"checkOrigin", boolean> | undefined}
+	 * @default `{checkOrigin: true}`
 	 * @version 4.9.0
 	 * @description
 	 *
@@ -451,12 +451,16 @@ export interface AstroUserConfig {
 	 *
 	 * These features only exist for pages rendered on demand (SSR) using `server` mode or pages that opt out of prerendering in `static` mode.
 	 *
+	 * By default, Astro will automatically check that the “origin” header
+	 * matches the URL sent by each request in on-demand rendered pages. You can
+	 * disable this behavior by setting `checkOrigin` to `false`:
+	 *
 	 * ```js
 	 * // astro.config.mjs
 	 * export default defineConfig({
 	 *   output: "server",
 	 *   security: {
-	 *     checkOrigin: true
+	 *     checkOrigin: false
 	 *   }
 	 * })
 	 * ```