diff --git a/src/main/java/com/onixbyte/deltaforceguide/config/SecurityConfig.java b/src/main/java/com/onixbyte/deltaforceguide/config/SecurityConfig.java
index ad9be0e..8e8cc50 100644
--- a/src/main/java/com/onixbyte/deltaforceguide/config/SecurityConfig.java
+++ b/src/main/java/com/onixbyte/deltaforceguide/config/SecurityConfig.java
@@ -10,7 +10,6 @@ import com.onixbyte.deltaforceguide.security.provider.UsernamePasswordAuthentica
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -43,24 +42,7 @@ public class SecurityConfig {
                 .sessionManagement((customiser) -> customiser
                         .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests((customiser) -> customiser
-                        .requestMatchers("/error", "/error/**").permitAll()
-                        .requestMatchers("/captcha", "/captcha/**").permitAll()
-                        .requestMatchers("/auth/logout").authenticated()
-                        .requestMatchers("/auth/**").permitAll()
-                        .requestMatchers(
-                                "/swagger-ui.html",
-                                "/swagger-ui",
-                                "/swagger-ui/**",
-                                "/v3/api-docs",
-                                "/v3/api-docs.yaml",
-                                "/v3/api-docs/swagger-config"
-                        ).permitAll()
-                        .requestMatchers(HttpMethod.GET,
-                                "/firearms", "/firearms/*",
-                                "/modifications", "/modifications/*",
-                                "/daily-passwords", "/daily-passwords/*"
-                        ).permitAll()
-                        .anyRequest().authenticated()
+                        .anyRequest().permitAll()
                 )
                 .addFilterAfter(tokenAuthenticationFilter, ExceptionTranslationFilter.class)
                 .build();
diff --git a/src/main/java/com/onixbyte/deltaforceguide/controller/AuthController.java b/src/main/java/com/onixbyte/deltaforceguide/controller/AuthController.java
index 6d7e4e5..86229aa 100644
--- a/src/main/java/com/onixbyte/deltaforceguide/controller/AuthController.java
+++ b/src/main/java/com/onixbyte/deltaforceguide/controller/AuthController.java
@@ -3,6 +3,7 @@ package com.onixbyte.deltaforceguide.controller;
 import com.onixbyte.deltaforceguide.domain.dto.LoginRequest;
 import com.onixbyte.deltaforceguide.domain.dto.UserResponse;
 import com.onixbyte.deltaforceguide.client.TokenClient;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.AuthService;
 import com.onixbyte.deltaforceguide.service.CookieService;
 import com.onixbyte.deltaforceguide.shared.CookieName;
@@ -45,6 +46,7 @@ public class AuthController {
                 .body(UserResponse.from(user));
     }
 
+    @RequiresAuth
     @Operation(description = "退出登录")
     @PostMapping("/logout")
     public ResponseEntity<Void> logout() {
diff --git a/src/main/java/com/onixbyte/deltaforceguide/controller/FirearmController.java b/src/main/java/com/onixbyte/deltaforceguide/controller/FirearmController.java
index 817291e..7d95b69 100644
--- a/src/main/java/com/onixbyte/deltaforceguide/controller/FirearmController.java
+++ b/src/main/java/com/onixbyte/deltaforceguide/controller/FirearmController.java
@@ -4,6 +4,7 @@ import com.onixbyte.deltaforceguide.domain.dto.FirearmRequest;
 import com.onixbyte.deltaforceguide.domain.dto.FirearmResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.FirearmService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@@ -44,17 +45,20 @@ public class FirearmController {
         return firearmService.queryById(id);
     }
 
+    @RequiresAuth
     @PostMapping
     public FirearmResponse addFirearm(@Validated @RequestBody FirearmRequest request) {
         return firearmService.addFirearm(request);
     }
 
+    @RequiresAuth
     @Operation(description = "更新指定武器的数据")
     @PutMapping("/{id}")
     public FirearmResponse updateFirearm(@PathVariable Long id, @Validated @RequestBody FirearmRequest request) {
         return firearmService.updateFirearm(id, request);
     }
 
+    @RequiresAuth
     @Operation(description = "删除指定武器的数据")
     @DeleteMapping("/{id}")
     public void deleteFirearm(@PathVariable Long id) {
diff --git a/src/main/java/com/onixbyte/deltaforceguide/controller/ModificationController.java b/src/main/java/com/onixbyte/deltaforceguide/controller/ModificationController.java
index 1d3f90c..b7c7a8d 100644
--- a/src/main/java/com/onixbyte/deltaforceguide/controller/ModificationController.java
+++ b/src/main/java/com/onixbyte/deltaforceguide/controller/ModificationController.java
@@ -4,6 +4,7 @@ import com.onixbyte.deltaforceguide.domain.dto.ModificationBatchCreateRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.ModificationService;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@@ -57,30 +58,35 @@ public class ModificationController {
         return modificationService.queryById(id);
     }
 
+    @RequiresAuth
     @Operation(description = "创建改装")
     @PostMapping
     public ModificationResponse create(@Valid @RequestBody ModificationRequest request) {
         return modificationService.create(request);
     }
 
+    @RequiresAuth
     @Operation(description = "批量创建改装")
     @PostMapping("/batch")
     public List<ModificationResponse> batchCreate(@Valid @RequestBody ModificationBatchCreateRequest request) {
         return modificationService.batchCreate(request.modifications());
     }
 
+    @RequiresAuth
     @Operation(description = "修改指定改装")
     @PutMapping("/{id}")
     public ModificationResponse update(@PathVariable Long id, @Valid @RequestBody ModificationRequest request) {
         return modificationService.update(id, request);
     }
 
+    @RequiresAuth
     @Operation(description = "删除指定改装")
     @DeleteMapping("/{id}")
     public void delete(@PathVariable Long id) {
         modificationService.delete(id);
     }
 
+    @RequiresAuth
     @Operation(description = "批量删除改装")
     @DeleteMapping("/batch-delete")
     @Validated
diff --git a/src/main/java/com/onixbyte/deltaforceguide/security/annotation/RequiresAuth.java b/src/main/java/com/onixbyte/deltaforceguide/security/annotation/RequiresAuth.java
new file mode 100644
index 0000000..f022be3
--- /dev/null
+++ b/src/main/java/com/onixbyte/deltaforceguide/security/annotation/RequiresAuth.java
@@ -0,0 +1,14 @@
+package com.onixbyte.deltaforceguide.security.annotation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@PreAuthorize("isAuthenticated()")
+public @interface RequiresAuth {
+}