diff --git a/frontends/etiquette_flask/backend/common.py b/frontends/etiquette_flask/backend/common.py
index ef1047a..1f243d7 100644
--- a/frontends/etiquette_flask/backend/common.py
+++ b/frontends/etiquette_flask/backend/common.py
@@ -42,6 +42,7 @@ site.jinja_env.trim_blocks = True
 site.jinja_env.lstrip_blocks = True
 jinja_filters.register_all(site)
 site.debug = True
+site.localhost_only = False
 
 session_manager = sessions.SessionManager(maxlen=10000)
 file_cache_manager = caching.FileCacheManager(
@@ -73,6 +74,12 @@ def decorate_and_route(*route_args, **route_kwargs):
     return wrapper
 site.route = decorate_and_route
 
+@site.before_request
+def before_request():
+    ip = request.remote_addr
+    if site.localhost_only and ip != '127.0.0.1':
+        flask.abort(403)
+
 gzip_minimum_size = 500
 gzip_maximum_size = 5 * 2**20
 gzip_level = 3
diff --git a/frontends/etiquette_flask/etiquette_flask_dev.py b/frontends/etiquette_flask/etiquette_flask_dev.py
index 0ad3768..a39560c 100644
--- a/frontends/etiquette_flask/etiquette_flask_dev.py
+++ b/frontends/etiquette_flask/etiquette_flask_dev.py
@@ -26,7 +26,7 @@ site = backend.site
 
 HTTPS_DIR = pathclass.Path(__file__).parent.with_child('https')
 
-def etiquette_flask_launch(create, port, use_https):
+def etiquette_flask_launch(create, port, localhost_only, use_https):
     if use_https is None:
         use_https = port == 443
 
@@ -43,6 +43,9 @@ def etiquette_flask_launch(create, port, use_https):
             application=site,
         )
 
+    if localhost_only:
+        site.localhost_only = True
+
     backend.common.init_photodb(create=create)
 
     message = f'Starting server on port {port}'
@@ -59,6 +62,7 @@ def etiquette_flask_launch_argparse(args):
     return etiquette_flask_launch(
         create=args.create,
         port=args.port,
+        localhost_only=args.localhost_only,
         use_https=args.use_https,
     )
 
@@ -67,6 +71,7 @@ def main(argv):
 
     parser.add_argument('port', nargs='?', type=int, default=5000)
     parser.add_argument('--dont_create', '--dont-create', '--no-create', dest='create', action='store_false', default=True)
+    parser.add_argument('--localhost_only', '--localhost-only', dest='localhost_only', action='store_true')
     parser.add_argument('--https', dest='use_https', action='store_true', default=None)
     parser.set_defaults(func=etiquette_flask_launch_argparse)