diff --git a/crates/erp-server/src/main.rs b/crates/erp-server/src/main.rs
index bc52000..e06f2df 100644
--- a/crates/erp-server/src/main.rs
+++ b/crates/erp-server/src/main.rs
@@ -808,11 +808,19 @@ fn build_cors_layer(allowed_origins: &str) -> tower_http::cors::CorsLayer {
         .collect::<Vec<_>>();
 
     if origins.len() == 1 && origins[0] == "*" {
-        tracing::warn!(
-            "⚠️  CORS 允许所有来源 — 仅限开发环境使用！\
-             生产环境请通过 ERP__CORS__ALLOWED_ORIGINS 设置具体的来源域名"
-        );
-        return tower_http::cors::CorsLayer::permissive();
+        #[cfg(not(debug_assertions))]
+        {
+            tracing::error!("CORS wildcard '*' is not allowed in production builds");
+            panic!("Refusing to start with CORS wildcard in release mode. Set ERP__CORS__ALLOWED_ORIGINS to specific domains.");
+        }
+        #[cfg(debug_assertions)]
+        {
+            tracing::warn!(
+                "⚠️  CORS 允许所有来源 — 仅限开发环境使用！\
+                 生产环境请通过 ERP__CORS__ALLOWED_ORIGINS 设置具体的来源域名"
+            );
+            return tower_http::cors::CorsLayer::permissive();
+        }
     }
 
     let allowed: Vec<HeaderValue> = origins