diff --git a/app.py b/app.py
index 1639782..d80468c 100644
--- a/app.py
+++ b/app.py
@@ -137,6 +137,10 @@ def enforce_csrf_protection():
         return
     if request.path.startswith("/static/"):
         return
+    # 登录相关路由豁免 CSRF 检查（登录本身就是建立 session 的过程）
+    csrf_exempt_paths = {"/yuyx/api/login", "/api/login", "/api/auth/login"}
+    if request.path in csrf_exempt_paths:
+        return
     if not (current_user.is_authenticated or "admin_id" in session):
         return
     token = request.headers.get("X-CSRF-Token") or request.form.get("csrf_token")