diff --git a/app/common/middleware/AllowCrossDomain.php b/app/common/middleware/AllowCrossDomain.php
index deee08f..aff929c 100644
--- a/app/common/middleware/AllowCrossDomain.php
+++ b/app/common/middleware/AllowCrossDomain.php
@@ -14,11 +14,17 @@ use Webman\Http\Response;
  */
 class AllowCrossDomain implements MiddlewareInterface
 {
+    /**
+     * 允许跨域的自定义请求头（注意：携带 credentials 时，Allow-Headers 通配符在部分浏览器无效）
+     */
+    protected const ALLOW_HEADERS = 'Content-Type, Authorization, batoken, ba-user-token, user-token, access-token, auth-token, think-lang, lang, accept-language, x-requested-with, server';
+
     protected array $header = [
         'Access-Control-Allow-Credentials' => 'true',
         'Access-Control-Max-Age'           => '1800',
-        'Access-Control-Allow-Methods'     => '*',
-        'Access-Control-Allow-Headers'     => '*',
+        'Access-Control-Allow-Methods'     => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
+        'Access-Control-Allow-Headers'     => self::ALLOW_HEADERS,
+        'Vary'                             => 'Origin',
     ];
 
     /**
@@ -30,7 +36,8 @@ class AllowCrossDomain implements MiddlewareInterface
             'Access-Control-Allow-Credentials' => 'true',
             'Access-Control-Max-Age'            => '1800',
             'Access-Control-Allow-Methods'      => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
-            'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, user-token, access-token, think-lang, server',
+            'Access-Control-Allow-Headers'      => self::ALLOW_HEADERS,
+            'Vary'                              => 'Origin',
         ];
         $origin = $request->header('origin');
         if (is_array($origin)) {