--- a/mod_http_health/README.md	Fri Nov 03 23:26:57 2023 +0100
+++ b/mod_http_health/README.md	Sun Nov 05 19:22:46 2023 +0100
@@ -12,6 +12,22 @@
 }
 ```
 
+## Access control
+
+By default only access via localhost is allowed. This can be adjusted with `http_health_allow_ips`. The following example shows the default:
+
+```
+http_health_allow_ips = { "::1"; "127.0.0.1" }
+```
+
+Access can also be granted to one IP range via CIDR notation:
+
+```
+http_health_allow_cidr = "172.17.2.0/24"
+```
+
+The default for `http_health_allow_cidr` is empty.
+
 # Details
 
 Adds a `http://your.prosody.example:5280/health` endpoint that returns either HTTP status code 200 when all appears to be good or 500 when any module

--- a/mod_http_health/mod_http_health.lua	Fri Nov 03 23:26:57 2023 +0100
+++ b/mod_http_health/mod_http_health.lua	Sun Nov 05 19:22:46 2023 +0100
@@ -1,11 +1,29 @@
 module:set_global();
 
+local ip = require "util.ip";
 
 local modulemanager = require "core.modulemanager";
 
+local permitted_ips = module:get_option_set("http_health_allow_ips", { "::1", "127.0.0.1" });
+local permitted_cidr = module:get_option_string("http_health_allow_cidr");
+
+local function is_permitted(request)
+	local ip_raw = request.ip;
+	if permitted_ips:contains(ip_raw) or
+	   (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then
+		return true;
+	end
+	return false;
+end
+
 module:provides("http", {
 	route = {
-		GET = function()
+		GET = function(event)
+			local request = event.request;
+			if not is_permitted(request) then
+				return 403; -- Forbidden
+			end
+
 			for host in pairs(prosody.hosts) do
 				local mods = modulemanager.get_modules(host);
 				for _, mod in pairs(mods) do