diff --git a/login.go b/login.go
index 14b9fef..cd72b3c 100644
--- a/login.go
+++ b/login.go
@@ -108,7 +108,7 @@ func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
 			}
 			return
 		}
-	} else if v := r.Header.Get("X-Special-Auth"); v == "docker-registry" {
+	} else if dockerRegistrySecret != "" && r.Header.Get("X-Special-Auth") == dockerRegistrySecret {
 		method := r.Header.Get("X-Original-Method")
 		uri := r.Header.Get("X-Original-URI")
 
diff --git a/main.go b/main.go
index 67e4234..f2c4c37 100644
--- a/main.go
+++ b/main.go
@@ -19,6 +19,10 @@ import (
 
 var myPublicURL = "https://ldap.nemunai.re"
 
+// dockerRegistrySecret is required for X-Special-Auth anonymous access.
+// If empty, the feature is disabled.
+var dockerRegistrySecret string
+
 var myLDAP = LDAP{
 	Host:     "localhost",
 	Port:     389,
@@ -164,6 +168,9 @@ func main() {
 	if val, ok := os.LookupEnv("PUBLIC_URL"); ok {
 		myPublicURL = val
 	}
+	if val, ok := os.LookupEnv("DOCKER_REGISTRY_SECRET"); ok {
+		dockerRegistrySecret = val
+	}
 
 	if flag.NArg() > 0 {
 		switch flag.Arg(0) {