diff --git a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
index 4291759..df7957a 100644
--- a/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
+++ b/biji-houdaun/src/main/java/com/test/bijihoudaun/config/SecurityConfig.java
@@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -17,6 +18,8 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
+import java.util.Arrays;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
@@ -33,6 +36,9 @@ public class SecurityConfig {
     @Autowired
     private JwtAccessDeniedHandler jwtAccessDeniedHandler;
 
+    @Autowired
+    private Environment environment;
+
     @Value("${jwt.header}")
     private String tokenHeader;
 
@@ -48,18 +54,26 @@ public class SecurityConfig {
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter = new JwtAuthenticationTokenFilter(userDetailsService, jwtTokenUtil, tokenHeader, tokenHead);
 
+        // 检查当前激活的profile中是否包含 "prod"
+        boolean isProd = Arrays.asList(environment.getActiveProfiles()).contains("prod");
+
+        // 根据环境动态设置白名单
+        String[] publicEndpoints = isProd ?
+                new String[]{"/api/user/login", "/api/user/register"} :
+                new String[]{
+                        "/doc.html",
+                        "/webjars/**",
+                        "/v3/api-docs/**",
+                        "/api/user/login",
+                        "/api/user/register"
+                };
+
         http
                 .csrf(csrf -> csrf.disable())
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(authz -> authz
-                        // 1. 始终允许的核心公共端点 (登录、注册、API文档)
-                        .requestMatchers(
-                                "/doc.html",
-                                "/webjars/**",
-                                "/v3/api-docs/**",
-                                "/api/user/login",
-                                "/api/user/register"
-                        ).permitAll()
+                        // 1. 动态允许公共端点
+                        .requestMatchers(publicEndpoints).permitAll()
 
                         // 2. 精确允许用于“公开阅读”的 GET 请求
                         .requestMatchers(org.springframework.http.HttpMethod.GET,