diff --git a/middleware.ts b/middleware.ts
index e1e82b6..6231cff 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,7 +1,7 @@
 /* eslint-disable functional/no-conditional-statements */
-import { whenNotErrorAll } from '@devprotocol/util-ts'
 import { Redis } from '@upstash/redis'
 import { rewrite, next } from '@vercel/edge'
+import { whenNotErrorAll } from '@devprotocol/util-ts'
 
 export const config = {
 	matcher: ['/((?!_astro).*)'],
@@ -23,6 +23,21 @@ export default async function middleware(req: Request) {
 		})
 	}
 
+	const allowedDomains = [
+		'https://clubs.place/',
+		'https://prerelease.clubs.place/',
+	]
+	const origin = req.headers.get('origin')
+	const referer = req.headers.get('referer')
+	if (
+		!referer ||
+		!allowedDomains.includes(referer) ||
+		!origin ||
+		!allowedDomains.includes(origin)
+	) {
+		return new Response('Forbidden', { status: 403 })
+	}
+
 	const client = new Redis({
 		url: process.env.KV_REST_API_URL,
 		token: process.env.KV_REST_API_READ_ONLY_TOKEN,