diff --git a/src/main/java/im/zhaojun/zfile/common/filter/CorsFilter.java b/src/main/java/im/zhaojun/zfile/common/filter/CorsFilter.java
index 65583c0..e9fb5b0 100644
--- a/src/main/java/im/zhaojun/zfile/common/filter/CorsFilter.java
+++ b/src/main/java/im/zhaojun/zfile/common/filter/CorsFilter.java
@@ -1,5 +1,6 @@
 package im.zhaojun.zfile.common.filter;
 
+import cn.hutool.core.util.ObjectUtil;
 import org.springframework.http.HttpHeaders;
 import org.springframework.web.cors.CorsUtils;
 
@@ -25,8 +26,9 @@ public class CorsFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
         HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-
-        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, httpServletRequest.getHeader(HttpHeaders.ORIGIN));
+    
+        String header = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
+        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, ObjectUtil.defaultIfNull(header, "*"));
         httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, "Origin, X-Requested-With, Content-Type, Accept, zfile-token, axios-request");
         httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET, POST, PUT, DELETE, OPTIONS");
         httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "false");