diff --git a/server.js b/server.js
index d442033..6844f59 100644
--- a/server.js
+++ b/server.js
@@ -2456,17 +2456,21 @@ pool.query(`
 app.post("/services/:id/log", authMiddleware, async (req, res) => {
     try {
         const { action, details } = req.body;
-        // Buscamos el nombre de quien hace la acción
+        const serviceId = req.params.id;
+
+        // Verificamos propiedad antes de insertar
+        const check = await pool.query("SELECT id FROM scraped_services WHERE id=$1 AND owner_id=$2", [serviceId, req.user.accountId]);
+        if (check.rowCount === 0) return res.status(403).json({ ok: false, error: "No autorizado" });
+
         const userQ = await pool.query("SELECT full_name FROM users WHERE id=$1", [req.user.sub]);
         const userName = userQ.rows[0]?.full_name || "Sistema";
 
         await pool.query(
             "INSERT INTO scraped_service_logs (scraped_id, user_name, action, details) VALUES ($1, $2, $3, $4)",
-            [req.params.id, userName, action, details || ""]
+            [serviceId, userName, action, details || ""]
         );
         res.json({ ok: true });
     } catch(e) { 
-        console.error("Error Log:", e); 
         res.status(500).json({ ok: false }); 
     }
 });
@@ -2474,8 +2478,7 @@ app.post("/services/:id/log", authMiddleware, async (req, res) => {
 // Ruta para LEER el historial de un servicio
 app.get("/services/:id/logs", authMiddleware, async (req, res) => {
     try {
-        // BLINDAJE: Cruzamos el log con la tabla scraped_services 
-        // para asegurar que el servicio pertenece al dueño del token
+        // JOIN para asegurar que el log pertenece a un servicio del dueño actual
         const q = await pool.query(`
             SELECT l.* FROM scraped_service_logs l
             JOIN scraped_services s ON l.scraped_id = s.id