diff --git a/backend/app/deps.py b/backend/app/deps.py
index df0cc68..454cab7 100644
--- a/backend/app/deps.py
+++ b/backend/app/deps.py
@@ -36,8 +36,10 @@ async def get_current_admin(
     current_user: User = Depends(get_current_user),
 ) -> User:
     if not current_user.is_superuser:
+        # Return 404 instead of 403 — reveals neither the existence of the
+        # endpoint nor that the caller lacks permission.
         raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="Admin access required",
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Not found",
         )
     return current_user
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index 44ba8ec..18c534a 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -21,7 +21,8 @@ function AdminRoute({ children }: { children: React.ReactNode }) {
   if (!token) return <Navigate to="/login" replace />;
   // Wait for the me query before deciding — prevents a flash redirect
   if (isLoading) return null;
-  if (!user?.is_admin) return <Navigate to="/" replace />;
+  // Redirect to /login (not /) so the route appears not to exist
+  if (!user?.is_admin) return <Navigate to="/login" replace />;
   return <>{children}</>;
 }