diff --git a/Backend/Vars.cs b/Backend/Vars.cs
index c76bfa2..e1a5946 100644
--- a/Backend/Vars.cs
+++ b/Backend/Vars.cs
@@ -18,5 +18,5 @@ public class Vars {
 
 	public static readonly List<string> ResponseHeaders = new() { "remote-user", "remote-groups", "remote-name", "remote-email" };
 
-	public static readonly List<string> PermittedDstDomains = new() { "ztn.sh", "zotan.services" };
+	public static readonly List<string> PermittedDomains = new() { "ztn.sh" };
 }
diff --git a/Controllers/CookieProxyController.cs b/Controllers/CookieProxyController.cs
index e9b1a7b..446f782 100644
--- a/Controllers/CookieProxyController.cs
+++ b/Controllers/CookieProxyController.cs
@@ -11,23 +11,31 @@ public class CookieProxyController : Controller {
 	[Produces("text/html", "text/plain")]
 	[Route("/api/cookieproxy_stage_one")]
 	public IActionResult StageOne([FromQuery] string dstDomain, [FromQuery] string tgt) {
+		// Check if we are on the correct domain
+		if (Request.Host.Host != Vars.AuthProxySubdomain + Vars.UpstreamPrimaryDomain)
+			return StatusCode(StatusCodes.Status421MisdirectedRequest);
+		
 		if (!Request.Cookies.ContainsKey("authelia_session")
 		 || string.IsNullOrWhiteSpace(dstDomain)
-		 || !Vars.PermittedDstDomains.Contains(dstDomain)
+		 || !Vars.PermittedDomains.Contains(dstDomain)
 		 || string.IsNullOrWhiteSpace(tgt)) {
 			return BadRequest("Bad request.");
 		}
 
 		var targetUrl =
 			$"https://{Vars.AuthProxySubdomain}.{dstDomain}/api/cookieproxy_stage_two?dstDomain={HttpUtility.UrlEncode(dstDomain)}&tgt={HttpUtility.UrlEncode(tgt)}";
-		return Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{Request.Cookies["authelia_session"]}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>", "text/html");
+		return Content($"Redirecting to cookie proxy (stage two) on the destination domain... <form method=\"POST\" action=\"{targetUrl}\"> <input type=\"hidden\" name=\"cookie\" value=\"{HttpUtility.HtmlEncode(Request.Cookies["authelia_session"])}\"><button type=\"submit\">Click here</button> if you are not redirected automatically</form><script>document.querySelector(\"form\").submit();</script>", "text/html");
 	}
 
 	[HttpPost]
 	[Produces("text/html", "text/plain")]
 	[Route("/api/cookieproxy_stage_two")]
 	public IActionResult StageTwo([FromQuery] string dstDomain, [FromQuery] string tgt, [FromForm] string cookie) {
-		if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDstDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(cookie) || string.IsNullOrWhiteSpace(tgt)) {
+		// Check if we are on an allowed domain
+		if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
+			return StatusCode(StatusCodes.Status421MisdirectedRequest);
+
+		if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(cookie) || string.IsNullOrWhiteSpace(tgt)) {
 			return BadRequest("Bad request.");
 		}
 
diff --git a/Controllers/LogoutController.cs b/Controllers/LogoutController.cs
index 8c61fde..2e99133 100644
--- a/Controllers/LogoutController.cs
+++ b/Controllers/LogoutController.cs
@@ -9,6 +9,10 @@ public class LogoutController : Controller {
 	[Route("/api/logout")]
 	[Produces("text/html")]
 	public ActionResult Post([FromQuery] string rd) {
+		// Check if we are on an allowed domain
+		if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
+			return StatusCode(StatusCodes.Status421MisdirectedRequest);
+
 		if (string.IsNullOrWhiteSpace(rd))
 			rd = "/";
 
diff --git a/Controllers/VerifyController.cs b/Controllers/VerifyController.cs
index 46d55b5..dad4470 100644
--- a/Controllers/VerifyController.cs
+++ b/Controllers/VerifyController.cs
@@ -7,6 +7,12 @@ namespace AutheliaMultiDomainProxy.Controllers;
 [Route("/api/verify")]
 public class VerifyController : Controller {
 	public string Get() {
+		// Check if we are on an allowed domain
+		if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
+			Response.StatusCode = 421;
+			return "421 Misdirected Request";
+		}
+
 		var upstreamResponse = AuthHelpers.MakeUpstreamAutheliaRequest(Request.Headers, Request.Cookies[Vars.CookieName]);
 
 		foreach (var header in upstreamResponse.Headers) {
diff --git a/Pages/Index.cshtml b/Pages/Index.cshtml
index 78ff08d..0881bb4 100644
--- a/Pages/Index.cshtml
+++ b/Pages/Index.cshtml
@@ -3,7 +3,8 @@
 @using System.Web
 @model IndexModel
 @{
-	if (!Request.Host.Value.StartsWith(Vars.AuthProxySubdomain + ".") && Request.Host.Host != "localhost") {
+	// Check if we are on an allowed domain
+	if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
 		Layout = null;
 		Response.Clear();
 		Response.StatusCode = StatusCodes.Status421MisdirectedRequest;