diff --git a/cmd/pfs/main.go b/cmd/pfs/main.go
index 95a2899..9268a29 100644
--- a/cmd/pfs/main.go
+++ b/cmd/pfs/main.go
@@ -12,6 +12,8 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strconv"
+	"strings"
 	"syscall"
 	"time"
 
@@ -29,6 +31,8 @@ import (
 	"git.mchus.pro/mchus/priceforge/internal/services/pricelist"
 	"git.mchus.pro/mchus/priceforge/internal/services/pricing"
 	"github.com/gin-gonic/gin"
+	mysqlDriver "github.com/go-sql-driver/mysql"
+	"gopkg.in/yaml.v3"
 	"gorm.io/driver/mysql"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
@@ -78,6 +82,16 @@ func main() {
 		os.Exit(1)
 	}
 	setConfigDefaults(cfg)
+	cfg.Server.Host = normalizeLocalHost(cfg.Server.Host)
+	if !isLoopbackHost(cfg.Server.Host) {
+		slog.Error(
+			"server host must be loopback-only for local mode",
+			"host", cfg.Server.Host,
+			"allowed", "127.0.0.1/localhost/::1",
+			"config_path", resolvedConfigPath,
+		)
+		os.Exit(1)
+	}
 	slog.Info("resolved runtime files", "config_path", resolvedConfigPath)
 
 	setupLogger(cfg.Logging)
@@ -144,7 +158,7 @@ func main() {
 	}
 
 	gin.SetMode(cfg.Server.Mode)
-	router, err := setupRouter(cfg, connMgr, mariaDB, dbUser)
+	router, err := setupRouter(cfg, resolvedConfigPath, connMgr, mariaDB, dbUser)
 	if err != nil {
 		slog.Error("failed to setup router", "error", err)
 		os.Exit(1)
@@ -231,6 +245,29 @@ func setConfigDefaults(cfg *config.Config) {
 	}
 }
 
+func isLoopbackHost(host string) bool {
+	h := strings.TrimSpace(strings.ToLower(host))
+	if h == "" {
+		return false
+	}
+	if h == "localhost" {
+		return true
+	}
+	ip := net.ParseIP(h)
+	return ip != nil && ip.IsLoopback()
+}
+
+func normalizeLocalHost(host string) string {
+	h := strings.TrimSpace(strings.ToLower(host))
+	switch h {
+	case "0.0.0.0", "::":
+		slog.Warn("non-loopback bind address overridden for local mode", "from", host, "to", "127.0.0.1")
+		return "127.0.0.1"
+	default:
+		return host
+	}
+}
+
 func setupLogger(cfg config.LoggingConfig) {
 	var level slog.Level
 	switch cfg.Level {
@@ -278,7 +315,7 @@ func setupDatabaseFromDSN(dsn string) (*gorm.DB, error) {
 	return db, nil
 }
 
-func setupRouter(cfg *config.Config, connMgr *db.ConnectionManager, mariaDB *gorm.DB, dbUser string) (*gin.Engine, error) {
+func setupRouter(cfg *config.Config, configPath string, connMgr *db.ConnectionManager, mariaDB *gorm.DB, dbUser string) (*gin.Engine, error) {
 	var componentRepo *repository.ComponentRepository
 	var categoryRepo *repository.CategoryRepository
 	var priceRepo *repository.PriceRepository
@@ -320,6 +357,7 @@ func setupRouter(cfg *config.Config, connMgr *db.ConnectionManager, mariaDB *gor
 	}
 
 	router := gin.New()
+	router.MaxMultipartMemory = 26 << 20 // 26MB; stock import handler enforces 25MB payload limit
 	router.Use(gin.Recovery())
 	router.Use(requestLogger())
 	router.Use(middleware.CORS())
@@ -388,6 +426,107 @@ func setupRouter(cfg *config.Config, connMgr *db.ConnectionManager, mariaDB *gor
 		})
 	})
 
+	router.GET("/api/connection-settings", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{
+			"host":     cfg.Database.Host,
+			"port":     cfg.Database.Port,
+			"database": cfg.Database.Name,
+			"user":     cfg.Database.User,
+		})
+	})
+
+	router.POST("/api/connection-settings/test", func(c *gin.Context) {
+		host := strings.TrimSpace(c.PostForm("host"))
+		database := strings.TrimSpace(c.PostForm("database"))
+		user := strings.TrimSpace(c.PostForm("user"))
+		password := c.PostForm("password")
+		port, err := strconv.Atoi(strings.TrimSpace(c.DefaultPostForm("port", strconv.Itoa(cfg.Database.Port))))
+		if err != nil || port <= 0 {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": "invalid port"})
+			return
+		}
+
+		if host == "" || database == "" || user == "" {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": "all fields except password are required"})
+			return
+		}
+		if password == "" {
+			password = cfg.Database.Password
+		}
+
+		dsn := buildMySQLDSN(host, port, database, user, password, 5*time.Second)
+		testDB, err := gorm.Open(mysql.Open(dsn), &gorm.Config{Logger: logger.Default.LogMode(logger.Silent)})
+		if err != nil {
+			c.JSON(http.StatusOK, gin.H{"success": false, "error": fmt.Sprintf("connection failed: %v", err)})
+			return
+		}
+		sqlDB, err := testDB.DB()
+		if err != nil {
+			c.JSON(http.StatusOK, gin.H{"success": false, "error": fmt.Sprintf("failed to get database handle: %v", err)})
+			return
+		}
+		defer sqlDB.Close()
+		if err := sqlDB.Ping(); err != nil {
+			c.JSON(http.StatusOK, gin.H{"success": false, "error": fmt.Sprintf("ping failed: %v", err)})
+			return
+		}
+
+		c.JSON(http.StatusOK, gin.H{"success": true, "message": "connection successful"})
+	})
+
+	router.POST("/api/connection-settings", func(c *gin.Context) {
+		host := strings.TrimSpace(c.PostForm("host"))
+		database := strings.TrimSpace(c.PostForm("database"))
+		user := strings.TrimSpace(c.PostForm("user"))
+		password := c.PostForm("password")
+		port, err := strconv.Atoi(strings.TrimSpace(c.DefaultPostForm("port", strconv.Itoa(cfg.Database.Port))))
+		if err != nil || port <= 0 {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": "invalid port"})
+			return
+		}
+		if host == "" || database == "" || user == "" {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": "all fields except password are required"})
+			return
+		}
+		if password == "" {
+			password = cfg.Database.Password
+		}
+
+		dsn := buildMySQLDSN(host, port, database, user, password, 5*time.Second)
+		testDB, err := gorm.Open(mysql.Open(dsn), &gorm.Config{Logger: logger.Default.LogMode(logger.Silent)})
+		if err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": fmt.Sprintf("connection failed: %v", err)})
+			return
+		}
+		sqlDB, err := testDB.DB()
+		if err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": fmt.Sprintf("failed to get database handle: %v", err)})
+			return
+		}
+		if err := sqlDB.Ping(); err != nil {
+			_ = sqlDB.Close()
+			c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": fmt.Sprintf("ping failed: %v", err)})
+			return
+		}
+		_ = sqlDB.Close()
+
+		cfg.Database.Host = host
+		cfg.Database.Port = port
+		cfg.Database.Name = database
+		cfg.Database.User = user
+		cfg.Database.Password = password
+		if err := saveConfig(configPath, cfg); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"success": false, "error": fmt.Sprintf("failed to save config: %v", err)})
+			return
+		}
+
+		c.JSON(http.StatusOK, gin.H{
+			"success":          true,
+			"message":          "settings saved, restart required",
+			"restart_required": true,
+		})
+	})
+
 	router.GET("/api/current-user", func(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{
 			"username": dbUser,
@@ -520,3 +659,30 @@ func requestLogger() gin.HandlerFunc {
 		)
 	}
 }
+
+func buildMySQLDSN(host string, port int, database, user, password string, timeout time.Duration) string {
+	cfg := mysqlDriver.NewConfig()
+	cfg.User = user
+	cfg.Passwd = password
+	cfg.Net = "tcp"
+	cfg.Addr = net.JoinHostPort(host, strconv.Itoa(port))
+	cfg.DBName = database
+	cfg.ParseTime = true
+	cfg.Loc = time.Local
+	cfg.Timeout = timeout
+	cfg.Params = map[string]string{
+		"charset": "utf8mb4",
+	}
+	return cfg.FormatDSN()
+}
+
+func saveConfig(path string, cfg *config.Config) error {
+	data, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("marshal config: %w", err)
+	}
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return fmt.Errorf("write config: %w", err)
+	}
+	return nil
+}
diff --git a/web/templates/base.html b/web/templates/base.html
index ceff4c7..8f4ad74 100644
--- a/web/templates/base.html
+++ b/web/templates/base.html
@@ -21,7 +21,7 @@
                     <div class="hidden md:flex space-x-4">
                         <a id="admin-pricing-link" href="/admin/pricing" class="text-gray-600 hover:text-gray-900 px-3 py-2 text-sm">Администратор цен</a>
                         <a href="/pricelists" class="text-gray-600 hover:text-gray-900 px-3 py-2 text-sm">Прайслисты</a>
-                        <a href="/admin/pricing" class="text-gray-600 hover:text-gray-900 px-3 py-2 text-sm">Настройки</a>
+                        <button type="button" onclick="openConnectionSettingsModal()" class="text-gray-600 hover:text-gray-900 px-3 py-2 text-sm">Настройки</button>
                     </div>
                 </div>
                 <div class="flex items-center space-x-4">
@@ -39,14 +39,55 @@
         {{template "content" .}}
     </main>
 
+    <div id="connection-settings-modal" class="fixed inset-0 bg-black bg-opacity-50 hidden items-center justify-center z-50 px-4">
+        <div class="bg-white rounded-lg shadow-lg w-full max-w-md">
+            <div class="flex items-center justify-between px-5 py-4 border-b">
+                <h2 class="text-lg font-semibold text-gray-900">Параметры подключения</h2>
+                <button type="button" onclick="closeConnectionSettingsModal()" class="text-gray-400 hover:text-gray-700 text-xl leading-none">&times;</button>
+            </div>
+            <form id="connection-settings-form" class="p-5 space-y-3">
+                <div>
+                    <label class="block text-sm text-gray-700 mb-1">Хост</label>
+                    <input id="connection-host" name="host" type="text" class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-orange-500">
+                </div>
+                <div>
+                    <label class="block text-sm text-gray-700 mb-1">Порт</label>
+                    <input id="connection-port" name="port" type="number" class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-orange-500">
+                </div>
+                <div>
+                    <label class="block text-sm text-gray-700 mb-1">База данных</label>
+                    <input id="connection-database" name="database" type="text" class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-orange-500">
+                </div>
+                <div>
+                    <label class="block text-sm text-gray-700 mb-1">Пользователь</label>
+                    <input id="connection-user" name="user" type="text" class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-orange-500">
+                </div>
+                <div>
+                    <label class="block text-sm text-gray-700 mb-1">Пароль</label>
+                    <input id="connection-password" name="password" type="password" autocomplete="new-password" class="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-orange-500">
+                    <p class="text-xs text-gray-500 mt-1">Оставьте пустым, чтобы сохранить текущий пароль.</p>
+                </div>
+                <div id="connection-settings-status" class="hidden text-sm rounded-md px-3 py-2"></div>
+                <div class="flex items-center justify-end gap-2 pt-2">
+                    <button type="button" onclick="testConnectionSettings()" class="px-3 py-2 border border-gray-300 rounded-md text-sm hover:bg-gray-50">Проверить</button>
+                    <button type="submit" class="px-3 py-2 bg-orange-600 text-white rounded-md text-sm hover:bg-orange-700">Сохранить</button>
+                </div>
+            </form>
+        </div>
+    </div>
+
     <div id="toast" class="fixed bottom-4 right-4 z-50"></div>
 
     <script>
         function showToast(msg, type) {
             const colors = { success: 'bg-green-500', error: 'bg-red-500', info: 'bg-orange-500' };
             const el = document.getElementById('toast');
-            el.innerHTML = '<div class="' + (colors[type] || colors.info) + ' text-white px-4 py-2 rounded shadow">' + msg + '</div>';
-            setTimeout(() => el.innerHTML = '', 3000);
+            el.replaceChildren();
+            const toast = document.createElement('div');
+            toast.className = (colors[type] || colors.info) + ' text-white px-4 py-2 rounded shadow';
+            toast.textContent = String(msg || '');
+            el.appendChild(toast);
+            setTimeout(() => el.replaceChildren(), 3000);
         }
 
         function renderDBStatus(connected, errorText) {
@@ -68,14 +109,114 @@
                 renderDBStatus(data.connected === true, data.error || '');
                 const userEl = document.getElementById('db-user');
                 if (data.connected && data.db_user) {
-                    userEl.innerHTML = '<span class="text-gray-500">@</span>' + data.db_user;
+                    userEl.textContent = '@' + String(data.db_user);
+                } else if (userEl) {
+                    userEl.textContent = '';
                 }
             } catch (e) {
                 renderDBStatus(false, 'Status request failed');
             }
         }
 
+        function closeConnectionSettingsModal() {
+            const modal = document.getElementById('connection-settings-modal');
+            if (!modal) return;
+            modal.classList.add('hidden');
+            modal.classList.remove('flex');
+        }
+
+        function showConnectionSettingsStatus(message, type) {
+            const el = document.getElementById('connection-settings-status');
+            if (!el) return;
+            el.classList.remove('hidden', 'bg-green-100', 'text-green-800', 'bg-red-100', 'text-red-800', 'bg-orange-100', 'text-orange-800');
+            if (type === 'success') {
+                el.classList.add('bg-green-100', 'text-green-800');
+            } else if (type === 'error') {
+                el.classList.add('bg-red-100', 'text-red-800');
+            } else {
+                el.classList.add('bg-orange-100', 'text-orange-800');
+            }
+            el.textContent = message;
+        }
+
+        async function openConnectionSettingsModal() {
+            const modal = document.getElementById('connection-settings-modal');
+            if (!modal) return;
+            modal.classList.remove('hidden');
+            modal.classList.add('flex');
+            showConnectionSettingsStatus('Загрузка текущих параметров...', 'info');
+
+            try {
+                const resp = await fetch('/api/connection-settings');
+                const data = await resp.json();
+                document.getElementById('connection-host').value = data.host || '';
+                document.getElementById('connection-port').value = data.port || 3306;
+                document.getElementById('connection-database').value = data.database || '';
+                document.getElementById('connection-user').value = data.user || '';
+                document.getElementById('connection-password').value = '';
+                document.getElementById('connection-settings-status').classList.add('hidden');
+            } catch (e) {
+                showConnectionSettingsStatus('Не удалось загрузить параметры: ' + e.message, 'error');
+            }
+        }
+
+        async function testConnectionSettings() {
+            const form = document.getElementById('connection-settings-form');
+            if (!form) return;
+            showConnectionSettingsStatus('Проверка подключения...', 'info');
+            try {
+                const resp = await fetch('/api/connection-settings/test', {
+                    method: 'POST',
+                    body: new FormData(form),
+                });
+                const data = await resp.json();
+                if (data.success) {
+                    showConnectionSettingsStatus('Подключение успешно.', 'success');
+                } else {
+                    showConnectionSettingsStatus(data.error || 'Ошибка проверки подключения.', 'error');
+                }
+            } catch (e) {
+                showConnectionSettingsStatus('Ошибка сети: ' + e.message, 'error');
+            }
+        }
+
         document.addEventListener('DOMContentLoaded', function () {
+            const form = document.getElementById('connection-settings-form');
+            if (form) {
+                form.addEventListener('submit', async function (e) {
+                    e.preventDefault();
+                    showConnectionSettingsStatus('Сохранение параметров...', 'info');
+                    try {
+                        const resp = await fetch('/api/connection-settings', {
+                            method: 'POST',
+                            body: new FormData(form),
+                        });
+                        const data = await resp.json();
+                        if (!resp.ok || !data.success) {
+                            showConnectionSettingsStatus(data.error || 'Ошибка сохранения параметров.', 'error');
+                            return;
+                        }
+
+                        showConnectionSettingsStatus('Параметры сохранены. Выполняется перезапуск...', 'success');
+                        setTimeout(async function () {
+                            try {
+                                await fetch('/api/restart', { method: 'POST' });
+                            } catch (_) {
+                            }
+                        }, 300);
+                    } catch (e) {
+                        showConnectionSettingsStatus('Ошибка сети: ' + e.message, 'error');
+                    }
+                });
+            }
+
+            const modal = document.getElementById('connection-settings-modal');
+            if (modal) {
+                modal.addEventListener('click', function (e) {
+                    if (e.target === modal) closeConnectionSettingsModal();
+                });
+            }
+
             refreshDBConnectionStatus();
             setInterval(refreshDBConnectionStatus, 10000);
         });