diff --git a/addy.go b/addy.go
index 3d3ab19..f45d4dc 100644
--- a/addy.go
+++ b/addy.go
@@ -129,6 +129,23 @@ func addyAliasAPI(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Validate domain against allowlist
+	if len(allowedAliasDomains) == 0 {
+		http.Error(w, "Alias creation is not configured", http.StatusServiceUnavailable)
+		return
+	}
+	domainAllowed := false
+	for _, d := range allowedAliasDomains {
+		if body.Domain == d {
+			domainAllowed = true
+			break
+		}
+	}
+	if !domainAllowed {
+		http.Error(w, "Domain not allowed", http.StatusBadRequest)
+		return
+	}
+
 	if len(body.Alias) == 0 {
 		body.Alias = generateRandomString(10)
 	}
diff --git a/main.go b/main.go
index f76f06c..843dadf 100644
--- a/main.go
+++ b/main.go
@@ -23,6 +23,10 @@ var myPublicURL = "https://ldap.nemunai.re"
 // If empty, the feature is disabled.
 var dockerRegistrySecret string
 
+// allowedAliasDomains is the allowlist of domains users may create aliases under.
+// If empty, alias creation is disabled.
+var allowedAliasDomains []string
+
 var myLDAP = LDAP{
 	Host:     "localhost",
 	Port:     389,
@@ -171,6 +175,9 @@ func main() {
 	if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
 		dockerRegistrySecret = val
 	}
+	if val, ok := os.LookupEnv("ALIAS_ALLOWED_DOMAINS"); ok && val != "" {
+		allowedAliasDomains = strings.Split(val, ",")
+	}
 
 	if flag.NArg() > 0 {
 		switch flag.Arg(0) {