diff --git a/manual/config/env.md b/manual/config/env.md
index dbfda78b..3c2633ab 100644
--- a/manual/config/env.md
+++ b/manual/config/env.md
@@ -65,6 +65,7 @@ This part of configurations is only valid in `CACHE_PROVIDER=memcached`:
 - `TIME_ZONE`: Time zone (default `UTC`)
 - `INIT_SEAFILE_ADMIN_EMAIL`: Admin username
 - `INIT_SEAFILE_ADMIN_PASSWORD`: Admin password
+- `CSRF_TRUSTED_ORIGINS`: A list of trusted origins for CSRF protection, JSON string, example: `["https://seafile.example.com", "https://seafile.com"]`.
 
 ## SeaDoc configurations (only valid after integrating SeaDoc)
 
diff --git a/manual/repo/docker/ce/seafile-server.yml b/manual/repo/docker/ce/seafile-server.yml
index ded3dc02..ad59f09d 100644
--- a/manual/repo/docker/ce/seafile-server.yml
+++ b/manual/repo/docker/ce/seafile-server.yml
@@ -79,6 +79,7 @@ services:
       - SEAFILE_AI_SERVER_URL=${SEAFILE_AI_SERVER_URL:-http://seafile-ai:8888}
       - SEAFILE_AI_SECRET_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty}
       - MD_FILE_COUNT_LIMIT=${MD_FILE_COUNT_LIMIT:-100000}
+      - CSRF_TRUSTED_ORIGINS=${CSRF_TRUSTED_ORIGINS}
     labels:
       caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
       caddy.reverse_proxy: "{{upstreams 80}}"
diff --git a/manual/repo/docker/cluster/seafile-server.yml b/manual/repo/docker/cluster/seafile-server.yml
index 9c157b50..103fc8a4 100644
--- a/manual/repo/docker/cluster/seafile-server.yml
+++ b/manual/repo/docker/cluster/seafile-server.yml
@@ -56,3 +56,4 @@ services:
       - SEAFILE_AI_SERVER_URL=$SEAFILE_AI_SERVER_URL
       - SEAFILE_AI_SECRET_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty}
       - MD_FILE_COUNT_LIMIT=${MD_FILE_COUNT_LIMIT:-100000}
+      - CSRF_TRUSTED_ORIGINS=${CSRF_TRUSTED_ORIGINS}
diff --git a/manual/repo/docker/pro/seafile-server.yml b/manual/repo/docker/pro/seafile-server.yml
index 6e5e95ff..848a1dba 100644
--- a/manual/repo/docker/pro/seafile-server.yml
+++ b/manual/repo/docker/pro/seafile-server.yml
@@ -91,6 +91,7 @@ services:
       - SEAFILE_AI_SERVER_URL=${SEAFILE_AI_SERVER_URL:-http://seafile-ai:8888}
       - SEAFILE_AI_SECRET_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty}
       - MD_FILE_COUNT_LIMIT=${MD_FILE_COUNT_LIMIT:-100000}
+      - CSRF_TRUSTED_ORIGINS=${CSRF_TRUSTED_ORIGINS}
     labels:
       caddy: ${SEAFILE_SERVER_PROTOCOL:-http}://${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty}
       caddy.reverse_proxy: "{{upstreams 80}}"