diff --git a/src/mcwaddams/utils/caching.py b/src/mcwaddams/utils/caching.py
index daa339f..7ce869c 100644
--- a/src/mcwaddams/utils/caching.py
+++ b/src/mcwaddams/utils/caching.py
@@ -14,8 +14,20 @@ from .validation import OfficeFileError
 
 
 # Environment variable to control local file access
-# Default to False (secure) - set to "true" for local stdio transport
-MCP_ALLOW_LOCAL_FILES = os.environ.get("MCP_ALLOW_LOCAL_FILES", "false").lower() == "true"
+# Default depends on transport mode:
+#   - stdio (local): allow local files by default
+#   - streamable-http (remote): block local files by default
+def _get_allow_local_files() -> bool:
+    """Determine if local file access is allowed based on transport mode."""
+    explicit = os.environ.get("MCP_ALLOW_LOCAL_FILES")
+    if explicit is not None:
+        return explicit.lower() == "true"
+
+    # If not explicitly set, default based on transport mode
+    transport = os.environ.get("MCP_TRANSPORT", "stdio").lower()
+    return transport == "stdio"
+
+MCP_ALLOW_LOCAL_FILES = _get_allow_local_files()
 
 
 class OfficeFileCache: