diff --git a/app/Support/BackUrl.php b/app/Support/BackUrl.php
index 21b6547..a96ab75 100644
--- a/app/Support/BackUrl.php
+++ b/app/Support/BackUrl.php
@@ -18,6 +18,12 @@ class BackUrl
             return '';
         }
 
+        // 长度安全阀：避免超长 back 造成 header/url 过大、日志污染或潜在 DoS
+        // 与表单侧 max:2000 的校验口径对齐。
+        if (strlen($incomingBack) > 2000) {
+            return '';
+        }
+
         if (!str_starts_with($incomingBack, '/')) {
             return '';
         }
diff --git a/tests/Unit/BackUrlSanitizeForLinksTest.php b/tests/Unit/BackUrlSanitizeForLinksTest.php
index a8a70b4..7ae55e7 100644
--- a/tests/Unit/BackUrlSanitizeForLinksTest.php
+++ b/tests/Unit/BackUrlSanitizeForLinksTest.php
@@ -12,6 +12,12 @@ class BackUrlSanitizeForLinksTest extends TestCase
         $this->assertSame('/admin/platform-orders', BackUrl::sanitizeForLinks('/admin/platform-orders'));
     }
 
+    public function test_sanitize_for_links_should_reject_too_long_back(): void
+    {
+        $long = '/admin/x?' . str_repeat('a', 5000);
+        $this->assertSame('', BackUrl::sanitizeForLinks($long));
+    }
+
     public function test_sanitize_for_links_should_reject_absolute_urls(): void
     {
         $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));