diff --git a/omniadvisor/pyproject.toml b/omniadvisor/pyproject.toml
index d2849e690b254f6c70c9ca03f7502c8199fdd043..81f7307853f27188f73e2620ba6a216a1a68f4f4 100755
--- a/omniadvisor/pyproject.toml
+++ b/omniadvisor/pyproject.toml
@@ -22,6 +22,7 @@ colorlog = "~6.9.0"
 requests = "^2.32.3"
 python-dateutil = "2.9.0.post0"
 psycopg2-binary = "^2.9.10"
+django-sslserver = "0.22"
 
 [tool.poetry.group.test.dependencies]
 pytest = "^7.4.4"
diff --git a/omniadvisor/src/common/constant.py b/omniadvisor/src/common/constant.py
index 29c762a91ed78454426e85bc1c12cd6643c068f9..3dd94e3418afa5c6abb17eabca80ea12a1ecd41f 100644
--- a/omniadvisor/src/common/constant.py
+++ b/omniadvisor/src/common/constant.py
@@ -3,7 +3,7 @@ import os
 import configparser
 
 
-def load_common_config(config_path: str) -> configparser.ConfigParser:
+def load_ini_config(config_path: str) -> configparser.ConfigParser:
     """
     使用configparser库加载common_config
 
@@ -13,12 +13,29 @@ def load_common_config(config_path: str) -> configparser.ConfigParser:
     if not os.path.exists(config_path):
         raise FileNotFoundError(f"{config_path} does not exist")
 
-    common_config = configparser.ConfigParser()
+    common_config = configparser.ConfigParser(interpolation=None)
     common_config.read(config_path, encoding='utf-8')
 
     return common_config
 
 
+def write_ini_config(config_path: str, key: str, value: dict) -> None:
+    """
+    以覆盖形式写入全新的 key, value配置 到 config_path中
+
+    :param config_path: 配置文件路径
+    :param key: 键
+    :param value: 值
+    :return: None
+    """
+    new_config = configparser.ConfigParser(interpolation=None)
+    new_config[key] = value
+
+    # 直接写入（无需读取）
+    with open(config_path, 'w', encoding='utf-8') as configfile:
+        new_config.write(configfile)
+
+
 def check_oa_conf() -> None:
     """
     校验OA_CONF中参数是否符合要求，在参数值不符合规范时抛出异常
@@ -81,6 +98,8 @@ class OmniAdvisorConf:
     common_config_path = f'{config_dir}/common_config.cfg'
     # 数据存储目录
     data_dir = f'{project_base_dir}/data'
+    # secret_key路径
+    django_secret_key_path = f'{project_base_dir}/src/server/secret_key'
 
     # 任务执行状态
     class ExecStatus:
@@ -118,7 +137,7 @@ class OmniAdvisorConf:
         all = [hijacking, backend]
 
     # 输入配置解析
-    _common_config = load_common_config(config_path=common_config_path)
+    _common_config = load_ini_config(config_path=common_config_path)
     # 配置罗列
     # common页
     tuning_retest_times = _common_config.getint('common', 'tuning.retest.times')
diff --git a/omniadvisor/src/server/engine/settings.py b/omniadvisor/src/server/engine/settings.py
index ac376cfb2a617951a2c75b3f4cff3c21c915bbba..65082c5413c269385b079f68474481a728b01321 100644
--- a/omniadvisor/src/server/engine/settings.py
+++ b/omniadvisor/src/server/engine/settings.py
@@ -9,27 +9,47 @@ https://docs.djangoproject.com/en/4.2/topics/settings/
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/4.2/ref/settings/
 """
-
+import os
 from pathlib import Path
+from django.core.management.utils import get_random_secret_key
 
-from common.constant import OA_CONF
-
-# Build paths inside the project like this: BASE_DIR / 'subdir'.
-BASE_DIR = Path(__file__).resolve().parent.parent
+from common.constant import OA_CONF, load_ini_config, write_ini_config
 
 
+BASE_DIR = Path(__file__).resolve().parent.parent
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-no@z!_@jyd1w6!497ewxgm3h2n-0^oaz@9go9w5b%y_9%tv2c%'
+_KEY_STR = 'django.secretkey'
+_DEFAULT_STR = 'default'
+
+# 一旦生成这个随机变量之后，就不再变化
+if os.path.isfile(OA_CONF.django_server_path):
+    secret_key_config = load_ini_config(OA_CONF.django_server_path)
+    secret_key = secret_key_config.get(_DEFAULT_STR, _KEY_STR)
+else:
+    secret_key = get_random_secret_key()
+    write_ini_config(OA_CONF.django_server_path, _DEFAULT_STR, {_KEY_STR: secret_key})
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = False
+
+# 开启 HTTP Strict Transport Security (HSTS)，告诉浏览器在一定时间内（这里是一年）只能通过 HTTPS 访问你的网站
+SECURE_HSTS_SECONDS = 31536000
+# 配合 HSTS 使用，告诉浏览器所有子域名也必须强制 HTTPS。
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+# 让 CSRF 的 cookie 只能通过 HTTPS 发送，防止在 HTTP 传输中被窃取
+CSRF_COOKIE_SECURE = True
+# 同样是让 session cookie 只能通过 HTTPS 发送
+SESSION_COOKIE_SECURE = True
+# 强制将所有非 HTTPS（明文 HTTP）的请求自动重定向到 HTTPS（加密连接）
+SECURE_SSL_REDIRECT = True
+# 为了确保 Django 能正确判断请求是否是通过 HTTPS 发起的，它需要一个指示正确协议的头部。
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 ALLOWED_HOSTS = ['*']
 
-
 # Application definition
 
 INSTALLED_APPS = [
@@ -39,7 +59,8 @@ INSTALLED_APPS = [
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
-    'server.app'
+    'server.app',
+    'sslserver'
 ]
 
 MIDDLEWARE = [