diff --git a/package.json b/package.json
index de901b9..04c328a 100644
--- a/package.json
+++ b/package.json
@@ -30,6 +30,7 @@
     "connect-static-file": "=1.1.2",
     "express": "=4.14.0",
     "express-basic-auth": "=0.2.3",
+    "express-ip-access-control": "=1.0.5",
     "express-winston": "=2.1.2",
     "helmet": "=3.4.0",
     "opbeat": "=4.7.0",
diff --git a/src/consts.js b/src/consts.js
index a8d59ce..7d8f464 100644
--- a/src/consts.js
+++ b/src/consts.js
@@ -3,6 +3,7 @@ const IN_TEST = process.env.NODE_ENV === 'test';
 module.exports = {
   SERVE_DIR: IN_TEST ? 'site/' : process.argv[process.argv.length - 1],
   PORT: process.env.PORT || 5000,
+  ALLOWED_IPS: process.env.ALLOWED_IPS ? process.env.ALLOWED_IPS.split(',') : undefined,
   IN_TEST,
   IN_PRODUCTION: process.env.NODE_ENV === 'production',
   DIR_LIST: process.env.DIR_LIST,
diff --git a/src/server.js b/src/server.js
index 4013ab5..f5c0e9a 100755
--- a/src/server.js
+++ b/src/server.js
@@ -8,6 +8,7 @@ const consts = require('./consts');
 const compression = require('compression');
 const helmet = require('helmet');
 const serveIndex = require('serve-index');
+const AccessControl = require('express-ip-access-control');
 const opbeat = require('opbeat').start({
   active: consts.IN_PRODUCTION
 });
@@ -17,6 +18,16 @@ const staticFiles = require('./static-files');
 const handle404 = require('./404');
 const basicAuth = require('./basic-auth');
 
+if (consts.ALLOWED_IPS) {
+  app.set('trust proxy', true);
+
+  app.use(AccessControl({
+    mode: 'allow',
+    allows: consts.ALLOWED_IPS,
+    forceConnectionAddress: true,
+    statusCode: 404
+  }));
+}
 // Custom Middleware
 app.use(logging);
 app.use(basicAuth);