diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e5429f9..13c8d04 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: robinraju/release-downloader@v1
         with:
           repository: nezhahq/admin-frontend
-          tag: v1.0.11
+          tag: v1.0.12
           fileName: dist.zip
           latest: true
           extract: true
@@ -45,7 +45,7 @@ jobs:
       - uses: robinraju/release-downloader@v1
         with:
           repository: nezhahq/user-frontend
-          tag: v1.0.4
+          tag: v1.0.5
           fileName: dist.zip
           latest: true
           extract: true
diff --git a/cmd/dashboard/controller/jwt.go b/cmd/dashboard/controller/jwt.go
index c930919..2e4a462 100644
--- a/cmd/dashboard/controller/jwt.go
+++ b/cmd/dashboard/controller/jwt.go
@@ -8,6 +8,7 @@ import (
 	jwt "github.com/appleboy/gin-jwt/v2"
 	"github.com/gin-gonic/gin"
 	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
 
 	"github.com/nezhahq/nezha/cmd/dashboard/controller/waf"
 	"github.com/nezhahq/nezha/model"
@@ -88,7 +89,9 @@ func authenticator() func(c *gin.Context) (interface{}, error) {
 
 		var user model.User
 		if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil {
-			model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
+			if err == gorm.ErrRecordNotFound {
+				model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
+			}
 			return nil, jwt.ErrFailedAuthentication
 		}
 
diff --git a/cmd/dashboard/controller/ws.go b/cmd/dashboard/controller/ws.go
index cffc767..d6d0fdf 100644
--- a/cmd/dashboard/controller/ws.go
+++ b/cmd/dashboard/controller/ws.go
@@ -4,7 +4,9 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"time"
+	"unicode/utf8"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
@@ -23,6 +25,9 @@ func InitUpgrader() {
 	// Allow CORS from loopback addresses in debug mode
 	if singleton.Conf.Debug {
 		checkOrigin = func(r *http.Request) bool {
+			if checkSameOrigin(r) {
+				return true
+			}
 			hostAddr := r.Host
 			host, _, err := net.SplitHostPort(hostAddr)
 			if err != nil {
@@ -42,7 +47,6 @@ func InitUpgrader() {
 					return true
 				}
 			}
-
 			return false
 		}
 	}
@@ -54,6 +58,40 @@ func InitUpgrader() {
 	}
 }
 
+func equalASCIIFold(s, t string) bool {
+	for s != "" && t != "" {
+		sr, size := utf8.DecodeRuneInString(s)
+		s = s[size:]
+		tr, size := utf8.DecodeRuneInString(t)
+		t = t[size:]
+		if sr == tr {
+			continue
+		}
+		if 'A' <= sr && sr <= 'Z' {
+			sr = sr + 'a' - 'A'
+		}
+		if 'A' <= tr && tr <= 'Z' {
+			tr = tr + 'a' - 'A'
+		}
+		if sr != tr {
+			return false
+		}
+	}
+	return s == t
+}
+
+func checkSameOrigin(r *http.Request) bool {
+	origin := r.Header["Origin"]
+	if len(origin) == 0 {
+		return true
+	}
+	u, err := url.Parse(origin[0])
+	if err != nil {
+		return false
+	}
+	return equalASCIIFold(u.Host, r.Host)
+}
+
 // Websocket server stream
 // @Summary Websocket server stream
 // @tags common