diff --git a/geye/config/example.py b/geye/config/example.py
index 045e368..7512368 100644
--- a/geye/config/example.py
+++ b/geye/config/example.py
@@ -48,6 +48,10 @@
 # CSRF_COOKIE_DOMAIN = "localhost:8080"
 # CSRF_USE_SESSIONS = True
 CSRF_COOKIE_SAMESITE = None
+ALLOWED_CORS = [
+    "localhost",
+    "127.0.0.1"
+]
 
 ##########
 # Queue settings
diff --git a/geye/database/models/token.py b/geye/database/models/token.py
index fbeb58b..6be0477 100644
--- a/geye/database/models/token.py
+++ b/geye/database/models/token.py
@@ -69,7 +69,9 @@ def update_token(self, params):
                 return None
             else:
                 obj.token_name = params["tokenName"]
-                obj.token = params["tokenContent"]
+                # 如果传递过来的token中有星号，那么不对token字段进行更新
+                if "*" not in params["tokenContent"]:
+                    obj.token = params["tokenContent"]
                 # obj.remain_limit = params["remainLimit"]
                 obj.status = params["status"]
                 obj.save()
diff --git a/geye/system/middleware/cors.py b/geye/system/middleware/cors.py
index afe772b..38e6224 100644
--- a/geye/system/middleware/cors.py
+++ b/geye/system/middleware/cors.py
@@ -15,6 +15,7 @@
 
 from urllib.parse import urlparse
 
+from django.conf import settings
 from django.http import HttpResponseForbidden
 
 from geye.utils.log import logger
@@ -26,10 +27,7 @@ def __init__(self, get_response):
         super(CORSMiddleware, self).__init__()
         self.get_response = get_response
 
-        self.allowed_origins = [
-            "localhost",
-            "127.0.0.1",
-        ]
+        self.allowed_origins = settings.ALLOWED_CORS
 
     def __call__(self, request):
         response = self.get_response(request)
diff --git a/geye/web/controller/token/token.py b/geye/web/controller/token/token.py
index 023bf39..bc2dcdb 100644
--- a/geye/web/controller/token/token.py
+++ b/geye/web/controller/token/token.py
@@ -22,6 +22,10 @@
 from geye.utils.validator import RequestValidator
 
 
+def mask_token(token):
+    return token[:8] + "*" * 24
+
+
 class TokensView(View):
     """
     获取所有token信息
@@ -35,7 +39,7 @@ def get(request):
             data.append({
                 "id": row.id,
                 "tokenName": row.token_name,
-                "tokenContent": row.token,
+                "tokenContent": mask_token(row.token),
                 "status": row.status,
                 "remainLimit": row.remain_limit
             })
@@ -123,7 +127,7 @@ def post(request):
             return JsonResponse({"code": 1001, "message": "更新成功!", "data": {
                 "id": obj.id,
                 "tokenName": obj.token_name,
-                "tokenContent": obj.token,
+                "tokenContent": mask_token(obj.token),
                 "status": obj.status,
                 "remainLimit": obj.remain_limit,
             }})
@@ -160,6 +164,7 @@ def get(request):
 
         obj = GeyeTokenModel.instance.get_details(token_id)
         if obj:
+            obj["tokenContent"] = mask_token(obj["tokenContent"])
             return JsonResponse({"code": 1001, "message": "获取成功!", "data": obj})
         else:
             return JsonResponse({"code": 1002, "message": "获取失败!"})