diff --git a/pom.xml b/pom.xml
index fc72458..357f949 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,6 +48,10 @@
             <artifactId>dotenv-java</artifactId>
             <version>3.0.0</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/src/main/java/fr/tetelie/crawler/SecurityConfig.java b/src/main/java/fr/tetelie/crawler/SecurityConfig.java
new file mode 100644
index 0000000..7f73f6c
--- /dev/null
+++ b/src/main/java/fr/tetelie/crawler/SecurityConfig.java
@@ -0,0 +1,29 @@
+package fr.tetelie.crawler;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .authorizeHttpRequests((requests) -> requests
+                        .requestMatchers("/", "/api/**", "/css/**", "/js/**").permitAll() // Tout le monde voit le dashboard
+                        .requestMatchers("/add", "/delete/**").authenticated()           // Seul l'admin ajoute/supprime
+                        .anyRequest().authenticated()
+                )
+                .formLogin((form) -> form
+                        .defaultSuccessUrl("/", true)
+                        .permitAll()
+                )
+                .logout((logout) -> logout.permitAll());
+
+        return http.build();
+    }
+}
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 15a4abf..aebef8d 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -2,4 +2,6 @@ spring.datasource.url=${DB_URL}
 spring.datasource.username=${DB_USER}
 spring.datasource.password=${DB_PASS}
 spring.jpa.hibernate.ddl-auto=validate
-server.port=8083
\ No newline at end of file
+server.port=8083
+spring.security.user.name=admin
+spring.security.user.password=${ADMIN_PASS}
\ No newline at end of file
diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html
index a004d48..1100fb4 100644
--- a/src/main/resources/templates/index.html
+++ b/src/main/resources/templates/index.html
@@ -28,6 +28,7 @@
 
     <section class="bg-gray-900 p-1 rounded-3xl border border-gray-800 shadow-2xl mb-12">
         <form th:action="@{/add}" method="POST" class="flex flex-col md:flex-row gap-2 p-2">
+            <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
             <input type="text" name="name" required placeholder="Nom de l'objet..."
                    class="flex-1 p-4 rounded-2xl bg-gray-800 border-none text-white placeholder-gray-500 focus:ring-2 focus:ring-blue-600 outline-none transition-all">
             <input type="url" name="link" required placeholder="Lien Amazon..."