diff --git a/kernel/model/session.go b/kernel/model/session.go
index e1b5d53e2..089d89b32 100644
--- a/kernel/model/session.go
+++ b/kernel/model/session.go
@@ -160,6 +160,20 @@ func CheckAuth(c *gin.Context) {
 	//logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
 
 	if "" == Conf.AccessAuthCode {
+		if origin := c.GetHeader("Origin"); "" != origin {
+			// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
+			u, parseErr := url.Parse(origin)
+			if nil != parseErr {
+				logging.LogWarnf("parse origin [%s] failed: %s", origin, parseErr)
+			} else {
+				if !strings.HasPrefix(u.Host, util.LocalHost) && !strings.HasPrefix(u.Host, "[::1]") {
+					c.JSON(401, map[string]interface{}{"code": -1, "msg": "Auth failed"})
+					c.Abort()
+					return
+				}
+			}
+		}
+
 		c.Next()
 		return
 	}
@@ -175,7 +189,6 @@ func CheckAuth(c *gin.Context) {
 
 	// 放过来自本机的某些请求
 	if strings.HasPrefix(c.Request.RemoteAddr, util.LocalHost) ||
-		strings.HasPrefix(c.Request.RemoteAddr, "127.0.0.1") ||
 		strings.HasPrefix(c.Request.RemoteAddr, "[::1]") {
 		if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
 			c.Next()