diff --git a/internal/middleware/middleware.go b/internal/middleware/middleware.go
index 6b908025..85500f83 100644
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -12,6 +12,34 @@ import (
 	"github.com/uozi-tech/cosy/logger"
 )
 
+// getToken from header, cookie or query
+func getToken(c *gin.Context) (token string) {
+	if token = c.GetHeader("Authorization"); token != "" {
+		return
+	}
+
+	if token, _ = c.Cookie("token"); token != "" {
+		return token
+	}
+
+	if token = c.Query("token"); token != "" {
+		tokenBytes, _ := base64.StdEncoding.DecodeString(token)
+		return string(tokenBytes)
+	}
+
+	return ""
+}
+
+// getXNodeID from header or query
+func getXNodeID(c *gin.Context) (xNodeID string) {
+	if xNodeID = c.GetHeader("X-Node-ID"); xNodeID != "" {
+		return xNodeID
+	}
+
+	return c.Query("x_node_id")
+}
+
+// AuthRequired is a middleware that checks if the user is authenticated
 func AuthRequired() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		abortWithAuthFailure := func() {
@@ -20,20 +48,20 @@ func AuthRequired() gin.HandlerFunc {
 			})
 		}
 
-		token := c.GetHeader("Authorization")
+		xNodeID := getXNodeID(c)
+		if xNodeID != "" {
+			c.Set("ProxyNodeID", xNodeID)
+		}
+
+		token := getToken(c)
 		if token == "" {
 			if token = c.GetHeader("X-Node-Secret"); token != "" && token == settings.NodeSettings.Secret {
 				c.Set("Secret", token)
 				c.Next()
 				return
 			} else {
-				c.Set("ProxyNodeID", c.Query("x_node_id"))
-				tokenBytes, _ := base64.StdEncoding.DecodeString(c.Query("token"))
-				token = string(tokenBytes)
-				if token == "" {
-					abortWithAuthFailure()
-					return
-				}
+				abortWithAuthFailure()
+				return
 			}
 		}
 
@@ -44,11 +72,6 @@ func AuthRequired() gin.HandlerFunc {
 		}
 
 		c.Set("user", u)
-
-		if nodeID := c.GetHeader("X-Node-ID"); nodeID != "" {
-			c.Set("ProxyNodeID", nodeID)
-		}
-
 		c.Next()
 	}
 }
@@ -70,6 +93,7 @@ func (f ServerFileSystemType) Exists(prefix string, _path string) bool {
 	return err == nil
 }
 
+// CacheJs is a middleware that send header to client to cache js file
 func CacheJs() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if strings.Contains(c.Request.URL.String(), "js") {
diff --git a/router/routers.go b/router/routers.go
index d61cb2f2..bf30752e 100644
--- a/router/routers.go
+++ b/router/routers.go
@@ -3,6 +3,8 @@ package router
 import (
 	"net/http"
 
+	"github.com/gin-contrib/pprof"
+
 	"github.com/0xJacky/Nginx-UI/api/analytic"
 	"github.com/0xJacky/Nginx-UI/api/certificate"
 	"github.com/0xJacky/Nginx-UI/api/cluster"
@@ -23,6 +25,7 @@ import (
 	"github.com/0xJacky/Nginx-UI/internal/middleware"
 	"github.com/gin-gonic/gin"
 	"github.com/uozi-tech/cosy"
+	cSettings "github.com/uozi-tech/cosy/settings"
 )
 
 func InitRouter() {
@@ -45,6 +48,9 @@ func InitRouter() {
 		// Authorization required and not websocket request
 		g := root.Group("/", middleware.AuthRequired(), middleware.Proxy())
 		{
+			if cSettings.ServerSettings.RunMode == gin.DebugMode {
+				pprof.Register(g)
+			}
 			user.InitUserRouter(g)
 			analytic.InitRouter(g)
 			user.InitManageUserRouter(g)