diff --git a/web/controller/xray_setting.go b/web/controller/xray_setting.go
index a48726de..5b7a0e26 100644
--- a/web/controller/xray_setting.go
+++ b/web/controller/xray_setting.go
@@ -56,9 +56,17 @@ func (a *XraySettingController) getXraySetting(c *gin.Context) {
 	if outboundTestUrl == "" {
 		outboundTestUrl = "https://www.google.com/generate_204"
 	}
-	urlJSON, _ := json.Marshal(outboundTestUrl)
-	xrayResponse := "{ \"xraySetting\": " + xraySetting + ", \"inboundTags\": " + inboundTags + ", \"outboundTestUrl\": " + string(urlJSON) + " }"
-	jsonObj(c, xrayResponse, nil)
+	xrayResponse := map[string]interface{}{
+		"xraySetting":     json.RawMessage(xraySetting),
+		"inboundTags":     json.RawMessage(inboundTags),
+		"outboundTestUrl": outboundTestUrl,
+	}
+	result, err := json.Marshal(xrayResponse)
+	if err != nil {
+		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.getSettings"), err)
+		return
+	}
+	jsonObj(c, string(result), nil)
 }
 
 // updateSetting updates the Xray configuration settings.
@@ -140,7 +148,6 @@ func (a *XraySettingController) resetOutboundsTraffic(c *gin.Context) {
 // Optional form "allOutbounds": JSON array of all outbounds; used to resolve sockopt.dialerProxy dependencies.
 func (a *XraySettingController) testOutbound(c *gin.Context) {
 	outboundJSON := c.PostForm("outbound")
-	testURL := c.PostForm("testURL")
 	allOutboundsJSON := c.PostForm("allOutbounds")
 
 	if outboundJSON == "" {
@@ -148,6 +155,9 @@ func (a *XraySettingController) testOutbound(c *gin.Context) {
 		return
 	}
 
+	// Load the test URL from server settings to prevent SSRF via user-controlled URLs
+	testURL, _ := a.SettingService.GetXrayOutboundTestUrl()
+
 	result, err := a.OutboundService.TestOutbound(outboundJSON, testURL, allOutboundsJSON)
 	if err != nil {
 		jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err)
diff --git a/web/html/xray.html b/web/html/xray.html
index a350ee57..ebe31f48 100644
--- a/web/html/xray.html
+++ b/web/html/xray.html
@@ -654,12 +654,10 @@
 
         try {
           const outboundJSON = JSON.stringify(outbound);
-          const testURL = this.outboundTestUrl || 'https://www.google.com/generate_204';
           const allOutboundsJSON = JSON.stringify(this.templateSettings.outbounds || []);
           
           const msg = await HttpUtil.post("/panel/xray/testOutbound", {
             outbound: outboundJSON,
-            testURL: testURL,
             allOutbounds: allOutboundsJSON
           });
 
diff --git a/web/service/outbound.go b/web/service/outbound.go
index c55999b3..ba0205e5 100644
--- a/web/service/outbound.go
+++ b/web/service/outbound.go
@@ -1,7 +1,6 @@
 package service
 
 import (
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -352,7 +351,6 @@ func (s *OutboundService) testConnection(proxyPort int, testURL string) (int64,
 				Timeout:   5 * time.Second,
 				KeepAlive: 30 * time.Second,
 			}).DialContext,
-			TLSClientConfig:    &tls.Config{InsecureSkipVerify: true},
 			MaxIdleConns:       1,
 			IdleConnTimeout:    10 * time.Second,
 			DisableCompression: true,