diff --git a/.memory/worklog.json b/.memory/worklog.json
index c07444c..76446f0 100644
--- a/.memory/worklog.json
+++ b/.memory/worklog.json
@@ -314,6 +314,13 @@
       "message": "auto-save 2026-04-19 22:45 (~1)",
       "hash": "81e2710",
       "files_changed": 1
+    },
+    {
+      "ts": "2026-04-19T22:51:12+08:00",
+      "type": "commit",
+      "message": "auto-save 2026-04-19 22:51 (~2)",
+      "hash": "7d83838",
+      "files_changed": 2
     }
   ]
 }
diff --git a/orchestrator/src/index.ts b/orchestrator/src/index.ts
index c7f3b4c..2c42411 100644
--- a/orchestrator/src/index.ts
+++ b/orchestrator/src/index.ts
@@ -16,9 +16,15 @@ const app = new Hono();
 app.get('/health', (c) => c.json({ ok: true, ts: Date.now() }));
 
 // Admin UI 页面(HTML,本身的 API 走下面 /admin/api/*)
-app.get('/admin/', (c) => c.html(DASHBOARD_HTML));
+const ALLOW_IFRAME_FROM = "frame-ancestors 'self' https://ai.milejoy.com https://lobehub.kang-kang.com";
+const withCsp = (c: any, html: string) => {
+  c.header('Content-Security-Policy', ALLOW_IFRAME_FROM);
+  c.header('X-Frame-Options', ''); // 移除 X-Frame-Options(CSP frame-ancestors 更精细)
+  return c.html(html);
+};
+app.get('/admin/', (c) => withCsp(c, DASHBOARD_HTML));
 app.get('/admin', (c) => c.redirect('/admin/?token=' + (c.req.query('token') ?? '')));
-app.get('/admin/user/:userId', (c) => c.html(USER_VIEW_HTML));
+app.get('/admin/user/:userId', (c) => withCsp(c, USER_VIEW_HTML));
 
 // Admin API(挂在 /admin/api,auth 在 admin router 里处理)
 app.route('/admin/api', admin);