diff --git a/install.sh b/install.sh
index 2b5ead5..31fdd03 100644
--- a/install.sh
+++ b/install.sh
@@ -3498,6 +3498,88 @@ update_migrate_database() {
         print_warning "sqlite3未安装，跳过数据库迁移检查"
     fi
 
+    # ========== 安全配置迁移 ==========
+    print_step "检查安全配置..."
+
+    if [[ -f ".env" ]]; then
+        # 检查 CORS 配置
+        CURRENT_CORS=$(grep "^ALLOWED_ORIGINS=" .env | cut -d'=' -f2-)
+
+        if [[ "$CURRENT_CORS" == "*" ]]; then
+            print_warning "⚠️  检测到不安全的CORS配置: ALLOWED_ORIGINS=*"
+            echo ""
+            echo "这是一个严重的安全风险！攻击者可以从任何域名访问你的API。"
+            echo ""
+
+            # 尝试从域名配置自动修复
+            if [[ -f "/etc/nginx/sites-enabled/${PROJECT_NAME}" ]] || [[ -f "/etc/nginx/conf.d/${PROJECT_NAME}.conf" ]]; then
+                # 尝试从Nginx配置读取域名
+                NGINX_DOMAIN=$(grep "server_name" /etc/nginx/sites-enabled/${PROJECT_NAME} 2>/dev/null | grep -v "_" | awk '{print $2}' | sed 's/;//g' | head -1)
+
+                if [[ -z "$NGINX_DOMAIN" ]]; then
+                    NGINX_DOMAIN=$(grep "server_name" /etc/nginx/conf.d/${PROJECT_NAME}.conf 2>/dev/null | grep -v "_" | awk '{print $2}' | sed 's/;//g' | head -1)
+                fi
+
+                if [[ -n "$NGINX_DOMAIN" ]] && [[ "$NGINX_DOMAIN" != "localhost" ]]; then
+                    # 检测是否使用HTTPS
+                    if grep -q "listen.*443.*ssl" /etc/nginx/sites-enabled/${PROJECT_NAME} 2>/dev/null || \
+                       grep -q "listen.*443.*ssl" /etc/nginx/conf.d/${PROJECT_NAME}.conf 2>/dev/null; then
+                        FIXED_CORS="https://${NGINX_DOMAIN}"
+                    else
+                        FIXED_CORS="http://${NGINX_DOMAIN}"
+                    fi
+
+                    print_info "检测到域名: ${NGINX_DOMAIN}"
+                    echo ""
+                    print_warning "建议将CORS设置为: ${FIXED_CORS}"
+                    echo ""
+
+                    read -p "是否自动修复CORS配置？[y/n]: " -n 1 -r < /dev/tty
+                    echo ""
+
+                    if [[ $REPLY =~ ^[Yy]$ ]]; then
+                        # 备份原配置
+                        cp .env .env.backup.$(date +%Y%m%d_%H%M%S)
+
+                        # 修复CORS配置
+                        sed -i "s|^ALLOWED_ORIGINS=.*|ALLOWED_ORIGINS=${FIXED_CORS}|" .env
+
+                        print_success "✓ CORS配置已修复: ${FIXED_CORS}"
+                        print_info "原配置已备份到: .env.backup.*"
+                    else
+                        print_warning "跳过自动修复，请手动编辑 .env 文件修改 ALLOWED_ORIGINS"
+                        print_info "推荐值: ALLOWED_ORIGINS=${FIXED_CORS}"
+                    fi
+                else
+                    print_warning "无法自动修复，请手动编辑backend/.env文件"
+                    print_info "将 ALLOWED_ORIGINS=* 改为你的实际域名"
+                    print_info "示例: ALLOWED_ORIGINS=https://yourdomain.com"
+                fi
+            else
+                print_warning "无法自动修复，请手动编辑backend/.env文件"
+                print_info "将 ALLOWED_ORIGINS=* 改为你的实际域名"
+                print_info "示例: ALLOWED_ORIGINS=https://yourdomain.com"
+            fi
+            echo ""
+        elif [[ -z "$CURRENT_CORS" ]]; then
+            print_warning "⚠️  ALLOWED_ORIGINS未配置"
+            print_info "生产环境必须配置具体的域名"
+        else
+            print_success "✓ CORS配置安全: ${CURRENT_CORS}"
+        fi
+
+        # 检查 NODE_ENV
+        CURRENT_ENV=$(grep "^NODE_ENV=" .env | cut -d'=' -f2-)
+        if [[ "$CURRENT_ENV" != "production" ]]; then
+            print_warning "⚠️  当前环境: ${CURRENT_ENV:-未设置}"
+            print_info "生产环境建议设置为: NODE_ENV=production"
+        else
+            print_success "✓ 环境配置: production"
+        fi
+    else
+        print_error "❌ .env 文件不存在！"
+    fi
+
     echo ""
 }