diff --git a/nginxdashuju/vhosts/airport.conf b/nginxdashuju/vhosts/airport.conf
index 4f7a499..d806288 100644
--- a/nginxdashuju/vhosts/airport.conf
+++ b/nginxdashuju/vhosts/airport.conf
@@ -40,6 +40,40 @@
         }
 
         location /airport {
+
+            # 先清除后端返回的 CORS 相关头
+            proxy_hide_header Access-Control-Allow-Origin;
+            proxy_hide_header Access-Control-Allow-Credentials;
+            proxy_hide_header Access-Control-Allow-Headers;
+            proxy_hide_header Access-Control-Allow-Methods;
+            proxy_hide_header Access-Control-Max-Age;
+            proxy_hide_header Access-Control-Expose-Headers;
+
+            add_header 'Access-Control-Allow-Origin' "https://${BUSINESS_DOMAIN_FULL}" always;
+            add_header 'Access-Control-Allow-Credentials' 'true' always;
+            add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-Requested-With, client-id' always;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
+            add_header 'Access-Control-Max-Age' 1728000 always;
+            add_header 'Access-Control-Expose-Headers' 'Content-Type, Authorization, client-id' always;
+            add_header 'Vary' 'Origin' always;
+            add_header 'Content-Security-Policy' "frame-ancestors *" always;
+            add_header X-Frame-Options ALLOWALL always;
+
+            if ($request_method = 'OPTIONS') {
+                add_header 'Access-Control-Allow-Origin' "https://${BUSINESS_DOMAIN_FULL}" always;
+                add_header 'Access-Control-Allow-Credentials' 'true' always;
+                add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-Requested-With, client-id' always;
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
+                add_header 'Access-Control-Max-Age' 1728000 always;
+                add_header 'Access-Control-Expose-Headers' 'Content-Type, Authorization, client-id' always;
+                add_header 'Vary' 'Origin' always;
+                add_header 'Content-Security-Policy' "frame-ancestors *" always;
+                add_header X-Frame-Options ALLOWALL always;
+                add_header 'Content-Length' 0;
+                add_header 'Content-Type' 'text/plain; charset=utf-8';
+                return 204;
+            }
+
             proxy_pass http://gatewayService/airport;
             proxy_set_header Host $host;
             proxy_http_version 1.1;