diff --git a/app/Http/Admin/Controllers/Controller.php b/app/Http/Admin/Controllers/Controller.php
index 058bfa77..25899d50 100644
--- a/app/Http/Admin/Controllers/Controller.php
+++ b/app/Http/Admin/Controllers/Controller.php
@@ -21,6 +21,17 @@ class Controller extends \Phalcon\Mvc\Controller
 
     public function beforeExecuteRoute(Dispatcher $dispatcher)
     {
+        /**
+         * demo分支拒绝数据提交
+         */
+        if ($this->isNotSafeRequest()) {
+            $dispatcher->forward([
+                'controller' => 'public',
+                'action' => 'forbidden',
+            ]);
+            return false;
+        }
+
         if ($this->isNotSafeRequest()) {
             $this->checkHttpReferer();
             $this->checkCsrfToken();
diff --git a/app/Http/Admin/Services/Setting.php b/app/Http/Admin/Services/Setting.php
index 3d2130fd..d6d46164 100644
--- a/app/Http/Admin/Services/Setting.php
+++ b/app/Http/Admin/Services/Setting.php
@@ -87,8 +87,16 @@ class Setting extends Service
 
         $result = [];
 
+        /**
+         * demo分支过滤敏感数据
+         */
         if ($items->count() > 0) {
             foreach ($items as $item) {
+                $case1 = preg_match('/(id|auth|key|secret|password|pwd)$/', $item->item_key);
+                $case2 = $this->dispatcher->getControllerName() == 'setting';
+                if ($case1 && $case2) {
+                    $item->item_value = '***';
+                }
                 $result[$item->item_key] = $item->item_value;
             }
         }
diff --git a/app/Http/Admin/Views/templates/main.volt b/app/Http/Admin/Views/templates/main.volt
index 6b70ff60..8803b2a0 100644
--- a/app/Http/Admin/Views/templates/main.volt
+++ b/app/Http/Admin/Views/templates/main.volt
@@ -23,5 +23,11 @@
 {% block include_js %}{% endblock %}
 {% block inline_js %}{% endblock %}
 
+{% set site = setting('site') %}
+
+{% if site['analytics_enabled'] == 1 %}
+    {{ site['analytics_script'] }}
+{% endif %}
+
 </body>
 </html>
\ No newline at end of file