diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
index c95c9c6..b02e1f3 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
@@ -21,6 +21,7 @@ public class CspFilter implements Filter {
                 "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                 "img-src 'self' data:; " +
                 "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "connect-src 'self' http://192.168.0.16:21520 http://127.0.0.1:21520 http://192.168.0.16:1999; " +  // ✅ 允许 AJAX 请求你的后台接口
                 "form-action 'self';";  // 新增：限制表单仅提交到当前域名
 
         httpResponse.setHeader("Content-Security-Policy", cspPolicy);
diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
index 150cac7..c098f87 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
@@ -16,6 +16,7 @@ public class CspInterceptor implements HandlerInterceptor {
                 "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                 "img-src 'self' data:; " +
                 "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "connect-src 'self' http://192.168.0.16:21520 http://127.0.0.1:21520 http://192.168.0.16:1999; " +  // ✅ 允许 AJAX 请求你的后台接口
                 "form-action 'self';";
         response.setHeader("Content-Security-Policy", csp);
         return true;
diff --git a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
index c6f6d97..56de700 100644
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
@@ -21,7 +21,7 @@ public class WebSecurityConfig implements WebMvcConfigurer {
                 // response.setHeader("X-Frame-Options", "SAMEORIGIN");
 
                 // 补充 CSP 头（增强安全性，与 X-Frame-Options 配合）
-                response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // 禁止所有嵌入
+                response.setHeader("Content-Security-Policy", "frame-ancestors 'self'"); // 禁止所有嵌入
                 // 若允许同源：frame-ancestors 'self';
                 return true;
             }