diff --git a/service-ai/service-ai-core/src/main/java/com/lanyuanxiaoyao/service/configuration/SecurityConfig.java b/service-ai/service-ai-core/src/main/java/com/lanyuanxiaoyao/service/configuration/SecurityConfig.java
index 133db97..5742f8d 100644
--- a/service-ai/service-ai-core/src/main/java/com/lanyuanxiaoyao/service/configuration/SecurityConfig.java
+++ b/service-ai/service-ai-core/src/main/java/com/lanyuanxiaoyao/service/configuration/SecurityConfig.java
@@ -1,7 +1,5 @@
 package com.lanyuanxiaoyao.service.configuration;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -13,6 +11,9 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
 
 /**
  * @author lanyuanxiaoyao
@@ -21,17 +22,31 @@ import org.springframework.security.web.SecurityFilterChain;
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
+  @Bean
+  public CorsFilter corsFilter() {
+    CorsConfiguration configuration = new CorsConfiguration();
+    configuration.setAllowCredentials(true);
+    configuration.addAllowedOriginPattern("*");
+    configuration.addAllowedHeader("*");
+    configuration.addAllowedMethod("*");
+    configuration.setMaxAge(7200L);
+    configuration.setAllowPrivateNetwork(true);
+    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+    source.registerCorsConfiguration("/**", configuration);
+    return new CorsFilter(source);
+  }
+
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     return http.authorizeHttpRequests(
-        registry -> registry
-            .requestMatchers(HttpMethod.OPTIONS, "/**")
-            .permitAll()
-            .anyRequest()
-            .authenticated()
+            registry -> registry
+                .requestMatchers(HttpMethod.OPTIONS, "/**")
+                .permitAll()
+                .anyRequest()
+                .authenticated()
         )
         .httpBasic(Customizer.withDefaults())
-        .cors(AbstractHttpConfigurer::disable)
+        .cors(Customizer.withDefaults())
         .csrf(AbstractHttpConfigurer::disable)
         .formLogin(AbstractHttpConfigurer::disable)
         .build();