diff --git a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
index e92ea85..a402a09 100644
--- a/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
+++ b/file-service/src/main/java/com/xuqm/file/config/SecurityConfig.java
@@ -36,12 +36,12 @@ public class SecurityConfig {
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth
                 .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
-                // Public: file upload and serving by hash (upload is intentionally public)
-                .requestMatchers("/api/file/upload").permitAll()
-                .requestMatchers("/api/file/*/thumbnail").permitAll()
-                .requestMatchers("/api/file/*").permitAll()
+                // Public: file upload and serving (AntRequestMatcher via explicit method)
+                .requestMatchers(HttpMethod.POST, "/api/file/upload").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*/thumbnail").permitAll()
+                .requestMatchers(HttpMethod.GET, "/api/file/*").permitAll()
                 // Actuator health & info
-                .requestMatchers("/actuator/**").permitAll()
+                .requestMatchers(HttpMethod.GET, "/actuator/**").permitAll()
                 .anyRequest().authenticated()
             )
             .exceptionHandling(ex -> ex