diff --git a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
index 6bcf9a9..51e980c 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
@@ -26,7 +26,11 @@ class SecurityConfig(
             }
             .exceptionHandling {
                 it.authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
-                it.accessDeniedHandler { _, response, _ ->
+                it.accessDeniedHandler { request, response, ex ->
+                    if (request.getHeader("X-Debug-Auth") == "1") {
+                        val msg = ex.message?.take(200) ?: "access_denied"
+                        response.setHeader("X-Access-Debug", msg)
+                    }
                     response.sendError(HttpStatus.UNAUTHORIZED.value(), "Unauthorized")
                 }
             }