--- a/mod_http_status/README.md	Wed Oct 25 15:36:20 2023 +0200
+++ b/mod_http_status/README.md	Wed Oct 25 17:18:50 2023 +0200
@@ -13,3 +13,19 @@
 }
 ```
 
+# Configuration
+
+
+By default only access via localhost is allowed. This can be adjusted with `http_status_allow_ips`. The following example shows the default:
+
+```
+http_status_allow_ips = { "::1"; "127.0.0.1" }
+```
+
+Access can also be granted to one IP range via CIDR notation:
+
+```
+http_status_allow_cidr = "172.17.2.0/24"
+```
+
+The default for `http_status_allow_cidr` is empty.

--- a/mod_http_status/mod_http_status.lua	Wed Oct 25 15:36:20 2023 +0200
+++ b/mod_http_status/mod_http_status.lua	Wed Oct 25 17:18:50 2023 +0200
@@ -2,13 +2,29 @@
 
 local json = require "util.json";
 local datetime = require "util.datetime".datetime;
+local ip = require "util.ip";
 
 local modulemanager = require "core.modulemanager";
 
+local permitted_ips = module:get_option_set("http_status_allow_ips", { "::1", "127.0.0.1" });
+local permitted_cidr = module:get_option_string("http_status_allow_cidr");
+
+local function is_permitted(request)
+	local ip_raw = request.ip;
+	if permitted_ips:contains(ip_raw) or
+	   (permitted_cidr and ip.match(ip.new_ip(ip_raw), ip.parse_cidr(permitted_cidr))) then
+		return true;
+	end
+	return false;
+end
+
 module:provides("http", {
 	route = {
 		GET = function(event)
 			local request, response = event.request, event.response;
+			if not is_permitted(request) then
+				return 403; -- Forbidden
+			end
 			response.headers.content_type = "application/json";
 
 			local resp = { ["*"] = true };