diff --git a/Caddyfile b/Caddyfile
index deeedbf..0b56a6c 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -13,9 +13,13 @@
 
 http://{$DOMAIN:NEWS_DOMAIN_FALLBACK} {
     # /api/* 直接转发,保留路径(后端 FastAPI 路由就是 /api/v1/*)
-    reverse_proxy /api/* api:8000
+    reverse_proxy /api/* api:8000 {
+        # 把 Caddy 识别的 client IP 写入 X-Forwarded-For(覆盖任何客户端伪造)
+        # 后端 uvicorn --forwarded-allow-ips 信任 docker 网络后会用这个值
+        header_up X-Forwarded-For {remote_host}
+    }
 
-    # 其余走前端 SPA
+    # 其余走前�?SPA
     reverse_proxy /* frontend:80
 
     encode gzip zstd
diff --git a/docker-compose.yml b/docker-compose.yml
index fe49869..f680e24 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -61,7 +61,9 @@ services:
       - ./backend/app:/app/app
       - ./backend/alembic:/app/alembic
       - ./backend/alembic.ini:/app/alembic.ini
-    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
+    # --forwarded-allow-ips 信任 docker 网络(让 Caddy 写入的 X-Forwarded-For 被采用)
+    # 生产部署可改成 Caddy 容器的具体 IP(动态 IP 用子网)
+    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--forwarded-allow-ips", "172.18.0.0/16"]
     logging:
       driver: json-file
       options: