diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
index fc51f01..6a74d64 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
@@ -40,16 +40,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private UserDetailServiceImpl userDetailService;
 
-	@Autowired
-	private static BookStoreAccessDeniedHandler bookStoreAccessDeniedHandler;
-
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder authManagerBuilder)
     		throws Exception {
     	authManagerBuilder.userDetailsService(userDetailService);
     }
 
-
     /*
      * Have different HTTP security policies for:
      *
@@ -70,9 +66,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 					authorize -> authorize
 					.anyRequest().hasAuthority("ADMIN")
 					)
-			.httpBasic()
+				.httpBasic()
 			.and()
-				.csrf().disable()
+				.csrf()
+					.disable()
 			;
 		}
 
@@ -89,9 +86,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 */
 		@Override
 		protected void configure(HttpSecurity httpSecurity) throws Exception {
+
 			httpSecurity
 			.authorizeRequests()
 				.antMatchers(
+					"/h2-console/**",
 					"/",
 					"/booklist",
 					"/error",
@@ -105,24 +104,27 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 				.authenticated()
 			.and()
 				.formLogin()
-			// TODO do not expose /login URI end point (prevent direct access)
-				.defaultSuccessUrl("/booklist")
-//				.loginPage("/booklist")
-//				.permitAll()
+					.defaultSuccessUrl("/booklist")
+					.permitAll()
 			.and()
 				.logout()
 					.logoutSuccessUrl("/booklist")
 					.permitAll()
 					.invalidateHttpSession(true)
 					.clearAuthentication(true)
+					.deleteCookies("JSESSIONID")
 			.and()
 				.exceptionHandling()
-				.accessDeniedHandler(bookStoreAccessDeniedHandler)
+					.accessDeniedHandler(new BookStoreAccessDeniedHandler())
 			.and()
 				.csrf()
+					.ignoringAntMatchers("/h2-console/**")
 			.and()
 				.sessionManagement()
 					.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+			.and()
+				.headers()
+					.frameOptions().sameOrigin()
 			;
 
 		}
diff --git a/bookstore/src/main/resources/templates/fragments/devusers.html b/bookstore/src/main/resources/templates/fragments/devusers.html
index 09b6343..ebc5f38 100644
--- a/bookstore/src/main/resources/templates/fragments/devusers.html
+++ b/bookstore/src/main/resources/templates/fragments/devusers.html
@@ -43,6 +43,7 @@
 					</tr>
 				</tbody>
 			</table>
+			<a href="/h2-console/">H2 database console</a>
 		</div>
 	</th:block>
 </body>