diff --git a/backend/src/main/java/com/xly/erp/config/SecurityConfig.java b/backend/src/main/java/com/xly/erp/config/SecurityConfig.java
new file mode 100644
index 0000000..f5e8afc
--- /dev/null
+++ b/backend/src/main/java/com/xly/erp/config/SecurityConfig.java
@@ -0,0 +1,24 @@
+package com.xly.erp.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class SecurityConfig {
+
+    /**
+     * REQ-MOD-001 临时配置：所有 /api/** 一律 permitAll，禁用 CSRF / 表单登录。
+     * REQ-USR-004 完成时改为 .authenticated() + JWT filter。
+     */
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(csrf -> csrf.disable())
+                .formLogin(form -> form.disable())
+                .httpBasic(basic -> basic.disable())
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
+        return http.build();
+    }
+}
diff --git a/backend/src/test/java/com/xly/erp/config/SecurityConfigTest.java b/backend/src/test/java/com/xly/erp/config/SecurityConfigTest.java
new file mode 100644
index 0000000..57ad8c2
--- /dev/null
+++ b/backend/src/test/java/com/xly/erp/config/SecurityConfigTest.java
@@ -0,0 +1,44 @@
+package com.xly.erp.config;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@SpringBootTest
+@AutoConfigureMockMvc
+@ActiveProfiles("test")
+class SecurityConfigTest {
+
+    @Autowired MockMvc mockMvc;
+
+    @TestConfiguration
+    static class PingConfig {
+        @Bean PingController pingController() { return new PingController(); }
+    }
+
+    @RestController
+    @RequestMapping("/api/__ping")
+    static class PingController {
+        @GetMapping
+        public String ping() { return "pong"; }
+    }
+
+    @Test
+    void anyApiEndpoint_isPermittedWithoutAuth() throws Exception {
+        mockMvc.perform(get("/api/__ping"))
+                .andExpect(status().isOk())
+                .andExpect(content().string("pong"));
+    }
+}