diff --git a/index.js b/index.js
index 3a54a6f..42ea2cf 100644
--- a/index.js
+++ b/index.js
@@ -5,6 +5,11 @@ const url = require('url');
 const fs = require('fs').promises;
 let PORT = process.env.PORT || 8000;
 
+let blockList = (process.env.BLOCKLIST || '').split(',').filter(a => a);
+console.log("Blocklist:", blockList);
+let allowList = (process.env.ALLOWLIST || '').split(',').filter(a => a);
+console.log("AllowList:", allowList);
+
 process.argv.forEach(function (arg) {
   if(arg.indexOf('--port=') === 0) {
     PORT = parseInt(arg.replace('--port=', ''), 10);
@@ -19,6 +24,15 @@ http.createServer((req, response) => {
   let remoteURL = url.parse(req.url.substring(1));
   if(!remoteURL.hostname || remoteURL.hostname === 'localhost') return response.end();
 
+  if(blockList.some(b => remoteURL.hostname == b || remoteURL.hostname.endsWith("." + b))) {
+    console.log("Domain is in blocklist")
+    return response.end();
+  }
+  if(allowList.length > 0 && !allowList.some(b => remoteURL.hostname == b || remoteURL.hostname.endsWith("." + b))) {
+    console.log("Domain is not in allowlist")
+    return response.end();
+  }
+
   if(req.method === 'OPTIONS') {
     response.writeHead(200, {
       'access-control-allow-origin': req.headers.origin || '*',