diff --git a/.env.example b/.env.example
index b731cba..aee2499 100644
--- a/.env.example
+++ b/.env.example
@@ -3,3 +3,7 @@ FOOTBALL_API_KEY=your_api_key_here
 
 # Only needed for local development (npm run dev)
 VITE_FOOTBALL_API_KEY=your_api_key_here
+
+# Basic auth credentials (production only)
+AUTH_USER=henry
+AUTH_PASSWORD=your_password_here
diff --git a/Dockerfile b/Dockerfile
index bc4ea9c..9afa8c3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,4 +19,11 @@ COPY --from=builder /app/dist /usr/share/nginx/html
 # files at startup, producing /etc/nginx/conf.d/default.conf
 COPY nginx/default.conf.template /etc/nginx/templates/default.conf.template
 
+# Custom entrypoint: generates .htpasswd from AUTH_USER/AUTH_PASSWORD, then
+# hands off to the official nginx entrypoint
+COPY docker-entrypoint.sh /docker-entrypoint-custom.sh
+RUN chmod +x /docker-entrypoint-custom.sh
+
 EXPOSE 80
+ENTRYPOINT ["/docker-entrypoint-custom.sh"]
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 94142fa..cc28248 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,3 +6,5 @@ services:
       - "3000:80"
     environment:
       - FOOTBALL_API_KEY=${FOOTBALL_API_KEY}
+      - AUTH_USER=${AUTH_USER}
+      - AUTH_PASSWORD=${AUTH_PASSWORD}
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100644
index 0000000..c07dafa
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+# Generate .htpasswd from environment variables
+if [ -z "$AUTH_USER" ] || [ -z "$AUTH_PASSWORD" ]; then
+  echo "ERROR: AUTH_USER and AUTH_PASSWORD must be set" >&2
+  exit 1
+fi
+
+echo "${AUTH_USER}:$(openssl passwd -apr1 "${AUTH_PASSWORD}")" > /etc/nginx/.htpasswd
+
+# Hand off to the official nginx entrypoint (runs envsubst on *.template files)
+exec /docker-entrypoint.sh "$@"
diff --git a/nginx/default.conf.template b/nginx/default.conf.template
index fb0f40e..c9dad36 100644
--- a/nginx/default.conf.template
+++ b/nginx/default.conf.template
@@ -3,6 +3,9 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    auth_basic "Football App";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+
     # Proxy /api/* → football-data.org, injecting the API key server-side
     location /api/ {
         proxy_pass         https://api.football-data.org/v4/;