diff --git a/console/src/main/java/com/alibaba/nacos/console/config/CorsConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/CorsConfig.java
new file mode 100644
index 00000000000..d42b18048d9
--- /dev/null
+++ b/console/src/main/java/com/alibaba/nacos/console/config/CorsConfig.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.config;
+
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+/**
+ * Spring cors config
+ *
+ * @author yshen
+ */
+@Configuration
+public class CorsConfig {
+
+
+    @Bean
+    public CorsFilter corsFilter() {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowCredentials(true);
+        config.addAllowedOrigin("*");
+        config.addAllowedHeader("*");
+        config.setMaxAge(18000L);
+        config.addAllowedMethod("*");
+        source.registerCorsConfiguration("/**", config);
+        return new CorsFilter(source);
+    }
+
+}
diff --git a/console/src/main/java/com/alibaba/nacos/console/config/WebSecurityConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/WebSecurityConfig.java
index 1ef0eaff2c8..b4b9647de82 100644
--- a/console/src/main/java/com/alibaba/nacos/console/config/WebSecurityConfig.java
+++ b/console/src/main/java/com/alibaba/nacos/console/config/WebSecurityConfig.java
@@ -34,6 +34,7 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.cors.CorsUtils;
 
 /**
  * Spring security config
@@ -84,7 +85,10 @@ public void configure(WebSecurity web) {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
+            //open cors
+            .cors().and()
             .authorizeRequests()
+            .requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
             .anyRequest().authenticated().and()
             // custom token authorize exception handler
             .exceptionHandling()