diff --git a/conf/config.ini b/conf/config.ini
index 8950b299..d2b2c0dd 100644
--- a/conf/config.ini
+++ b/conf/config.ini
@@ -230,6 +230,8 @@ forbidCacheSuffix=
 #可以把http代理前真实客户端ip放在http头中：https://github.com/ZLMediaKit/ZLMediaKit/issues/1388
 #切勿暴露此key，否则可能导致伪造客户端ip
 forwarded_ip_header=
+#默认允许所有跨域请求
+allow_cross_domains=1
 
 [multicast]
 #rtp组播截止组播ip地址
diff --git a/src/Common/config.cpp b/src/Common/config.cpp
index cae98d55..1654c61c 100644
--- a/src/Common/config.cpp
+++ b/src/Common/config.cpp
@@ -159,6 +159,7 @@ const string kNotFound = HTTP_FIELD "notFound";
 const string kDirMenu = HTTP_FIELD "dirMenu";
 const string kForbidCacheSuffix = HTTP_FIELD "forbidCacheSuffix";
 const string kForwardedIpHeader = HTTP_FIELD "forwarded_ip_header";
+const string kAllowCrossDomains = HTTP_FIELD "allow_cross_domains";
 
 static onceToken token([]() {
     mINI::Instance()[kSendBufSize] = 64 * 1024;
@@ -186,6 +187,7 @@ static onceToken token([]() {
                                              << endl;
     mINI::Instance()[kForbidCacheSuffix] = "";
     mINI::Instance()[kForwardedIpHeader] = "";
+    mINI::Instance()[kAllowCrossDomains] = 1;
 });
 
 } // namespace Http
diff --git a/src/Common/config.h b/src/Common/config.h
index 146c6067..ea874d64 100644
--- a/src/Common/config.h
+++ b/src/Common/config.h
@@ -246,6 +246,8 @@ extern const std::string kDirMenu;
 extern const std::string kForbidCacheSuffix;
 // 可以把http代理前真实客户端ip放在http头中：https://github.com/ZLMediaKit/ZLMediaKit/issues/1388
 extern const std::string kForwardedIpHeader;
+// 是否允许所有跨域请求
+extern const std::string kAllowCrossDomains;
 } // namespace Http
 
 ////////////SHELL配置///////////
diff --git a/src/Http/HttpSession.cpp b/src/Http/HttpSession.cpp
index a990f98b..c1a045f6 100644
--- a/src/Http/HttpSession.cpp
+++ b/src/Http/HttpSession.cpp
@@ -39,8 +39,13 @@ void HttpSession::Handle_Req_HEAD(ssize_t &content_len){
 
 void HttpSession::Handle_Req_OPTIONS(ssize_t &content_len) {
     KeyValue header;
-    header.emplace("Allow", "GET, POST, OPTIONS");
-    header.emplace("Access-Control-Allow-Origin", "*");
+    header.emplace("Allow", "GET, POST, HEAD, OPTIONS");
+    GET_CONFIG(bool, allow_cross_domains, Http::kAllowCrossDomains);
+    if (allow_cross_domains) {
+        header.emplace("Access-Control-Allow-Origin", "*");
+        header.emplace("Access-Control-Allow-Headers", "*");
+        header.emplace("Access-Control-Allow-Methods", "GET, POST, HEAD, OPTIONS");
+    }
     header.emplace("Access-Control-Allow-Credentials", "true");
     header.emplace("Access-Control-Request-Methods", "GET, POST, OPTIONS");
     header.emplace("Access-Control-Request-Headers", "Accept,Accept-Language,Content-Language,Content-Type");