diff --git a/.env.example b/.env.example
index 78a3b72c..f0d67c32 100644
--- a/.env.example
+++ b/.env.example
@@ -13,4 +13,10 @@ ZEP_API_KEY=your_zep_api_key_here
 # 注意如果不使用加速配置，env文件中就不要出现下面的配置项
 LLM_BOOST_API_KEY=your_api_key_here
 LLM_BOOST_BASE_URL=your_base_url_here
-LLM_BOOST_MODEL_NAME=your_model_name_here
\ No newline at end of file
+LLM_BOOST_MODEL_NAME=your_model_name_here
+
+# ===== Flask配置（可选）=====
+# SECRET_KEY=your-secret-key-here
+# FLASK_DEBUG=False
+# CORS_ORIGINS=http://localhost:3000,http://localhost:5173
+# FLASK_HOST=127.0.0.1
diff --git a/backend/app/__init__.py b/backend/app/__init__.py
index aba624bb..62912f2a 100644
--- a/backend/app/__init__.py
+++ b/backend/app/__init__.py
@@ -40,7 +40,7 @@ def create_app(config_class=Config):
         logger.info("=" * 50)
     
     # 启用CORS
-    CORS(app, resources={r"/api/*": {"origins": "*"}})
+    CORS(app, resources={r"/api/*": {"origins": config_class.CORS_ORIGINS}})
     
     # 注册模拟进程清理函数（确保服务器关闭时终止所有模拟进程）
     from .services.simulation_runner import SimulationRunner
@@ -60,6 +60,9 @@ def create_app(config_class=Config):
     def log_response(response):
         logger = get_logger('mirofish.request')
         logger.debug(f"响应: {response.status_code}")
+        response.headers['X-Content-Type-Options'] = 'nosniff'
+        response.headers['X-Frame-Options'] = 'DENY'
+        response.headers['X-XSS-Protection'] = '1; mode=block'
         return response
     
     # 注册蓝图
diff --git a/backend/app/config.py b/backend/app/config.py
index de63e2b4..ad33c2bc 100644
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -21,8 +21,15 @@ class Config:
     """Flask配置类"""
     
     # Flask配置
-    SECRET_KEY = os.environ.get('SECRET_KEY', 'mirofish-secret-key')
-    DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'
+    SECRET_KEY = os.environ.get('SECRET_KEY')
+    if not SECRET_KEY:
+        import secrets
+        SECRET_KEY = secrets.token_hex(32)
+
+    DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
+
+    # CORS configuration
+    CORS_ORIGINS = os.environ.get('CORS_ORIGINS', 'http://localhost:3000').split(',')
     
     # JSON配置 - 禁用ASCII转义，让中文直接显示（而不是 \uXXXX 格式）
     JSON_AS_ASCII = False
diff --git a/backend/run.py b/backend/run.py
index 4e3b04fa..8a3ade9f 100644
--- a/backend/run.py
+++ b/backend/run.py
@@ -37,7 +37,7 @@ def main():
     app = create_app()
     
     # 获取运行配置
-    host = os.environ.get('FLASK_HOST', '0.0.0.0')
+    host = os.environ.get('FLASK_HOST', '127.0.0.1')
     port = int(os.environ.get('FLASK_PORT', 5001))
     debug = Config.DEBUG