diff --git a/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java b/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java
index fc1807b7a..6e17edc26 100644
--- a/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java
+++ b/yudao-module-infra/yudao-module-infra-server/src/main/java/cn/iocoder/yudao/module/infra/framework/monitor/config/AdminServerConfiguration.java
@@ -8,6 +8,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -39,6 +40,9 @@ public class AdminServerConfiguration {
     @Value("${spring.boot.admin.client.password:admin}")
     private String password;
 
+    @Value("${spring.boot.admin.frame-ancestors:'self'}")
+    private String frameAncestors;
+
     /**
      * Spring Boot Admin 专用的 InMemoryUserDetailsManager
      * 使用内存存储，与系统用户隔离
@@ -99,6 +103,16 @@ public class AdminServerConfiguration {
                                 adminSeverContextPath + "/instances", // Admin Client 注册端点忽略 CSRF
                                 adminSeverContextPath + "/actuator/**" // Actuator 端点忽略 CSRF
                         )
+                )
+                .headers(headers -> headers
+                        // 特殊：Spring Boot Admin 前端基于 Vue，需 unsafe-inline ／ unsafe-eval 支持内联脚本与表达式
+                        .contentSecurityPolicy(csp -> csp.policyDirectives(
+                                "default-src 'self'; "
+                                        + "script-src 'self' 'unsafe-inline' 'unsafe-eval'; "
+                                        + "style-src 'self' 'unsafe-inline'; "
+                                        + "frame-ancestors " + frameAncestors))
+                        .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin) // 显式设置 X-Frame-Options 为 SAMEORIGIN
+                        .cacheControl(HeadersConfigurer.CacheControlConfig::disable) // 禁用缓存，避免旧配置生效
                 );
         return httpSecurity.build();
     }
diff --git a/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml b/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml
index d9c21daa3..430c570d4 100644
--- a/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml
+++ b/yudao-module-infra/yudao-module-infra-server/src/main/resources/application-local.yaml
@@ -137,6 +137,8 @@ spring:
         password: admin
       # Spring Boot Admin Server 服务端的相关配置
       context-path: /admin # 配置 Spring
+      # 允许嵌入 iframe 的域名（支持通配符），实际部署时，可以改为 "'self' [你的公网域名]"
+      frame-ancestors: "'self' localhost localhost:48082 127.0.0.1 127.0.0.1:48082"
 
 # 日志文件配置
 logging: