diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
index 6a4d5d4..f9c88cc 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Login.razor
@@ -10,8 +10,8 @@
 
 <div class="login-wrap rise" style="animation-delay:.02s">
     <section class="panel">
-        <div class="panel-head">OtOpcUa Admin &mdash; sign in</div>
-        <div style="padding:1.1rem 1.1rem 1.25rem">
+        <div style="padding:1.4rem 1.1rem 1.25rem">
+            <h1 class="login-title">MxAccess Gateway Admin &mdash; sign in</h1>
             <form method="post" action="/auth/login" data-enhance="false">
                 @if (ReturnUrl is not null)
                 {
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
index 6bced4c..86474a5 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/wwwroot/css/site.css
@@ -49,6 +49,16 @@
     }
 }
 
+/* Login card title. Replaces the panel-head top strip on the login page so the
+   card reads as a self-contained sign-in form, not a tabbed panel. */
+.login-title {
+    margin: 0 0 1.1rem 0;
+    font-size: 1.05rem;
+    font-weight: 600;
+    letter-spacing: 0.01em;
+    color: var(--ink);
+}
+
 /* Brand block pinned at the top of the side rail. Mirrors ScadaLink's
    .sidebar .brand styling — used now that the top app-bar was dropped. */
 .side-rail .brand {
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
index 094f81d..03f685d 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs
@@ -115,6 +115,13 @@ public static class AuthEndpoints
     private static async Task<IResult> LogoutAsync(HttpContext http)
     {
         await http.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
-        return Results.NoContent();
+
+        // Browser form POST → redirect to /login so the user lands somewhere visible.
+        // API callers that prefer the status-only contract should hit the endpoint with
+        // Accept: application/json and we'll hand them a 204 instead.
+        var wantsJson = http.Request.Headers.Accept.Any(v =>
+            v?.Contains("application/json", StringComparison.OrdinalIgnoreCase) == true);
+        if (wantsJson) return Results.NoContent();
+        return Results.Redirect("/login");
     }
 }