diff --git a/backend/server.js b/backend/server.js
index 446014a..4696767 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -199,6 +199,8 @@ app.post('/api/login',
 
       res.cookie('token', token, {
         httpOnly: true,
+        secure: process.env.COOKIE_SECURE === 'true', // HTTPS环境下启用
+        sameSite: 'lax', // 防止CSRF攻击
         maxAge: 7 * 24 * 60 * 60 * 1000 // 7天
       });