diff --git a/src/WeChat.php b/src/WeChat.php
index c617b7d..e314dcf 100644
--- a/src/WeChat.php
+++ b/src/WeChat.php
@@ -196,16 +196,17 @@ protected function httpGetForJson($url)
      * @access protected
      * @param string $url 接口地址
      * @param array $data 请求数据
-     * @param bool $buildToJson
+     * @param bool $toJson 转换JSON
+     * @param array $options 请求扩展数据
      * @return array
      * @throws InvalidResponseException
      */
-    protected function httpPostForJson($url, array $data, $buildToJson = true)
+    protected function httpPostForJson($url, array $data, $toJson = true, array $options = [])
     {
         try {
-            $options = [];
-            if ($buildToJson) $options['headers'] = ['Content-Type: application/json'];
-            return Tools::json2arr(Tools::post($url, $buildToJson ? Tools::arr2json($data) : $data, $options));
+            $options['headers'] = isset($options['headers']) ? $options['headers'] : [];
+            if ($toJson) $options['headers'][] = 'Content-Type: application/json';
+            return Tools::json2arr(Tools::post($url, $toJson ? Tools::arr2json($data) : $data, $options));
         } catch (InvalidResponseException $exception) {
             if (!$this->isTry && in_array($exception->getCode(), ['40014', '40001', '41001', '42001'])) {
                 [$this->delAccessToken(), $this->isTry = true];
@@ -235,13 +236,14 @@ protected function registerApi(&$url, $method, $arguments = [])
      * @access public
      * @param string $url 接口URL
      * @param array $data POST提交接口参数
-     * @param bool $isBuildJson
+     * @param bool $toJson 是否转换为JSON参数
+     * @param array $options 请求扩展数据
      * @return array
      */
-    public function callPostApi($url, array $data, $isBuildJson = true)
+    public function callPostApi($url, array $data, $toJson = true, array $options = [])
     {
         $this->registerApi($url, __FUNCTION__, func_get_args());
-        return $this->httpPostForJson($url, $data, $isBuildJson);
+        return $this->httpPostForJson($url, $data, $toJson, $options);
     }
 
     /**
diff --git a/src/wechat/services/mini/Security.php b/src/wechat/services/mini/Security.php
index b865b6e..734a965 100644
--- a/src/wechat/services/mini/Security.php
+++ b/src/wechat/services/mini/Security.php
@@ -28,7 +28,7 @@ class Security extends WeChat
     public function imgSecCheck($media)
     {
         $url = 'https://api.weixin.qq.com/wxa/img_sec_check?access_token=ACCESS_TOKEN';
-        return $this->callPostApi($url, ['media' => $media], false);
+        return $this->callPostApi($url, ['media' => $media], false, ['headers' => ['Content-Type: application/octet-stream']]);
     }
 
     /**