diff --git a/src/app/api/orders/route.ts b/src/app/api/orders/route.ts
index 4150c9f..b751cec 100644
--- a/src/app/api/orders/route.ts
+++ b/src/app/api/orders/route.ts
@@ -7,8 +7,8 @@ const createOrderSchema = z.object({
   user_id: z.number().int().positive(),
   amount: z.number().positive(),
   payment_type: z.enum(['alipay', 'wxpay', 'stripe']),
-  src_host: z.string().optional(),
-  src_url: z.string().optional(),
+  src_host: z.string().max(253).optional(),
+  src_url: z.string().max(2048).optional(),
 });
 
 export async function POST(request: NextRequest) {
diff --git a/src/lib/admin-auth.ts b/src/lib/admin-auth.ts
index 8fce9dd..e713ed3 100644
--- a/src/lib/admin-auth.ts
+++ b/src/lib/admin-auth.ts
@@ -14,9 +14,13 @@ function isLocalAdminToken(token: string): boolean {
 async function isSub2ApiAdmin(token: string): Promise<boolean> {
   try {
     const env = getEnv();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5000);
     const response = await fetch(`${env.SUB2API_BASE_URL}/api/v1/auth/me`, {
       headers: { Authorization: `Bearer ${token}` },
+      signal: controller.signal,
     });
+    clearTimeout(timeout);
     if (!response.ok) return false;
     const data = await response.json();
     return data.data?.role === 'admin';
diff --git a/src/lib/payment/index.ts b/src/lib/payment/index.ts
index d440d35..469ac64 100644
--- a/src/lib/payment/index.ts
+++ b/src/lib/payment/index.ts
@@ -1,4 +1,5 @@
 import { paymentRegistry } from './registry';
+import type { PaymentType } from './types';
 import { EasyPayProvider } from '@/lib/easy-pay/provider';
 import { StripeProvider } from '@/lib/stripe/provider';
 import { getEnv } from '@/lib/config';
@@ -37,5 +38,14 @@ export function initPaymentProviders(): void {
     paymentRegistry.register(new StripeProvider());
   }
 
+  // 校验 ENABLED_PAYMENT_TYPES 的每个渠道都有对应 provider 已注册
+  const unsupported = env.ENABLED_PAYMENT_TYPES.filter((t) => !paymentRegistry.hasProvider(t as PaymentType));
+  if (unsupported.length > 0) {
+    throw new Error(
+      `ENABLED_PAYMENT_TYPES 含 [${unsupported.join(', ')}]，但没有对应的 PAYMENT_PROVIDERS 注册。` +
+      `请检查 PAYMENT_PROVIDERS 配置`,
+    );
+  }
+
   initialized = true;
 }