diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
index fd072e48e..a37c262fa 100644
--- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
+++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
@@ -12,14 +12,11 @@ import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalance
 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.cloud.gateway.filter.GlobalFilter;
 import org.springframework.core.Ordered;
-import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.client.WebClient;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
 
-import javax.annotation.Resource;
-import java.util.function.Consumer;
 import java.util.function.Function;
 
 /**
@@ -47,8 +44,11 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
 
     @Override
     public Mono<Void> filter(final ServerWebExchange exchange, GatewayFilterChain chain) {
-        String token = SecurityFrameworkUtils.obtainAuthorization(exchange);
+        // 移除 login-user 的请求头，避免伪造模拟
+        SecurityFrameworkUtils.removeLoginUser(exchange);
+
         // 情况一，如果没有 Token 令牌，则直接继续 filter
+        String token = SecurityFrameworkUtils.obtainAuthorization(exchange);
         if (StrUtil.isEmpty(token)) {
             return chain.filter(exchange);
         }
diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java
index a8edad267..25896a60b 100644
--- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java
+++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java
@@ -58,6 +58,17 @@ public class SecurityFrameworkUtils {
         exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, token.getUserType());
     }
 
+    public static ServerWebExchange removeLoginUser(ServerWebExchange exchange) {
+        // 如果不包含，直接返回
+        if (!exchange.getRequest().getHeaders().containsKey(LOGIN_USER_HEADER)) {
+            return exchange;
+        }
+        // 如果包含，则移除。参考 RemoveRequestHeaderGatewayFilterFactory 实现
+        ServerHttpRequest request = exchange.getRequest().mutate()
+                .headers(httpHeaders -> httpHeaders.remove(LOGIN_USER_HEADER)).build();
+        return exchange.mutate().request(request).build();
+    }
+
     /**
      * 获得登录用户的编号
      *