diff --git a/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java b/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
index e48a56c994..18c222d1ba 100644
--- a/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
+++ b/backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
@@ -44,6 +44,10 @@ public class ShiroUtils {
 //        filterChainDefinitionMap.put("/document/**", "anon");
     }
 
+    public static void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
+        filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
+    }
+
     public static Cookie getSessionIdCookie(){
         SimpleCookie sessionIdCookie = new SimpleCookie();
         sessionIdCookie.setPath("/");
diff --git a/backend/src/main/java/io/metersphere/config/ShiroConfig.java b/backend/src/main/java/io/metersphere/config/ShiroConfig.java
index 9e8aefce18..4755bbe8d4 100644
--- a/backend/src/main/java/io/metersphere/config/ShiroConfig.java
+++ b/backend/src/main/java/io/metersphere/config/ShiroConfig.java
@@ -47,18 +47,15 @@ public class ShiroConfig implements EnvironmentAware {
         shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter());
         shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter());
         Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap();
+
         ShiroUtils.loadBaseFilterChain(filterChainDefinitionMap);
 
-        ignoreCsrfFilter(filterChainDefinitionMap);
+        ShiroUtils.ignoreCsrfFilter(filterChainDefinitionMap);
+
         filterChainDefinitionMap.put("/**", "apikey, csrf, authc");
         return shiroFilterFactoryBean;
     }
 
-    private void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
-        filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
-        filterChainDefinitionMap.put("/performance/report/*", "apikey, authc"); // socket 不用校验 csrf
-    }
-
     @Bean(name = "shiroFilter")
     public FilterRegistrationBean<Filter> shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception {
         FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
diff --git a/backend/src/main/java/io/metersphere/security/CsrfFilter.java b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
index a426c14d35..ea21966c4b 100644
--- a/backend/src/main/java/io/metersphere/security/CsrfFilter.java
+++ b/backend/src/main/java/io/metersphere/security/CsrfFilter.java
@@ -32,6 +32,12 @@ public class CsrfFilter extends AnonymousFilter {
         if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
             return true;
         }
+        // websocket 不需要csrf
+        String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key");
+        if (StringUtils.isNotBlank(websocketKey)) {
+            return true;
+        }
+
         // 请求头取出的token value
         String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
         // 校验 token