diff --git a/README.md b/README.md
index c6ddb39..1c720e7 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ docker run -d \
   -e PLEX_URL=http://your-plex-ip:32400 \
   -e PLEX_TOKEN=your-plex-token \
   -e ENCRYPTION_KEY=your-generated-key \
+  -e API_KEY=your-secret-key \
   ghcr.io/inch-high/plexgeo:latest
 ```
 
@@ -70,9 +71,12 @@ docker compose up -d
 | `POLL_INTERVAL` | `30` | Seconds between Plex polls |
 | `OUTLIER_THRESHOLD` | `0.10` | A country must account for <10% of sessions to be flagged |
 | `OUTLIER_MIN_SESSIONS` | `5` | Minimum sessions before outlier detection kicks in |
+| `API_KEY` | — | Optional. If set, the dashboard requires this key to access |
 
 > If `ENCRYPTION_KEY` is not set, a temporary key is generated in memory. Encrypted settings (e.g. your Plex token stored via the UI) will be lost on container restart.
 
+> If `API_KEY` is set, all API endpoints require an `Authorization: Bearer <key>` header. The dashboard will prompt for the key on first load.
+
 ---
 
 ## Docker Image
@@ -106,6 +110,7 @@ Available for `linux/amd64` and `linux/arm64`.
    - `PLEX_URL` = your Plex server URL
    - `PLEX_TOKEN` = your Plex token
    - `ENCRYPTION_KEY` = your generated key
+   - `API_KEY` = a secret password for dashboard access (optional)
 6. Click **Apply**
 
 ---
diff --git a/app/main.py b/app/main.py
index dfdcb8f..f9b8a45 100644
--- a/app/main.py
+++ b/app/main.py
@@ -1,13 +1,14 @@
 import logging
 import os
+import secrets
 from contextlib import asynccontextmanager
-from typing import Any
 
 from apscheduler.schedulers.asyncio import AsyncIOScheduler
-from fastapi import FastAPI, HTTPException
+from fastapi import FastAPI, HTTPException, Request, Query
 from fastapi.responses import FileResponse, JSONResponse
 from fastapi.staticfiles import StaticFiles
-from pydantic import BaseModel
+from pydantic import BaseModel, field_validator
+from starlette.middleware.base import BaseHTTPMiddleware
 
 from app import database
 from app import config as cfg
@@ -21,10 +22,34 @@
 
 scheduler = AsyncIOScheduler()
 
+API_KEY = os.environ.get("API_KEY", "").strip()
+
+
+# ── Auth middleware ───────────────────────────────────────────────────────────
+
+class AuthMiddleware(BaseHTTPMiddleware):
+    """Require Bearer token on /api/* routes when API_KEY is set."""
+    async def dispatch(self, request: Request, call_next):
+        if API_KEY and request.url.path.startswith("/api/"):
+            # /health is exempt for Docker healthcheck
+            if request.url.path != "/health":
+                auth = request.headers.get("authorization", "")
+                if not auth.startswith("Bearer ") or not secrets.compare_digest(auth[7:], API_KEY):
+                    return JSONResponse({"detail": "Unauthorized"}, status_code=401)
+        return await call_next(request)
+
+
+# ── Security headers middleware ──────────────────────────────────────────────
+
+class SecurityHeadersMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request: Request, call_next):
+        response = await call_next(request)
+        response.headers["X-Content-Type-Options"] = "nosniff"
+        response.headers["X-Frame-Options"] = "DENY"
+        return response
+
 
 def _poll_interval() -> int:
-    import asyncio
-    # Sync wrapper — APScheduler calls this synchronously so we read env as fallback
     return int(os.environ.get("POLL_INTERVAL", "30"))
 
 
@@ -45,6 +70,11 @@ async def lifespan(app: FastAPI):
     scheduler.start()
     logger.info(f"Plex poller started (every {interval}s)")
 
+    if API_KEY:
+        logger.info("API_KEY is set — authentication enabled")
+    else:
+        logger.warning("API_KEY not set — dashboard is open to anyone on the network")
+
     await poll_sessions()
 
     yield
@@ -52,7 +82,9 @@ async def lifespan(app: FastAPI):
     scheduler.shutdown()
 
 
-app = FastAPI(title="PlexGeo", lifespan=lifespan)
+app = FastAPI(title="PlexGeo", lifespan=lifespan, docs_url=None, redoc_url=None)
+app.add_middleware(AuthMiddleware)
+app.add_middleware(SecurityHeadersMiddleware)
 
 static_dir = os.path.join(os.path.dirname(__file__), "static")
 app.mount("/static", StaticFiles(directory=static_dir), name="static")
@@ -71,7 +103,7 @@ async def get_stats():
 
 
 @app.get("/api/sessions")
-async def get_sessions(limit: int = 100, offset: int = 0):
+async def get_sessions(limit: int = Query(100, ge=1, le=1000), offset: int = Query(0, ge=0)):
     return await database.api_get_sessions(limit, offset)
 
 
@@ -117,6 +149,49 @@ class SettingsUpdate(BaseModel):
     outlier_threshold:    str | None = None
     outlier_min_sessions: str | None = None
 
+    @field_validator("plex_url")
+    @classmethod
+    def validate_plex_url(cls, v):
+        if v is not None and v != "" and not v.startswith(("http://", "https://")):
+            raise ValueError("Must start with http:// or https://")
+        return v
+
+    @field_validator("poll_interval")
+    @classmethod
+    def validate_poll_interval(cls, v):
+        if v is not None:
+            try:
+                n = int(v)
+            except ValueError:
+                raise ValueError("Must be a number")
+            if n < 5 or n > 3600:
+                raise ValueError("Must be between 5 and 3600")
+        return v
+
+    @field_validator("outlier_threshold")
+    @classmethod
+    def validate_outlier_threshold(cls, v):
+        if v is not None:
+            try:
+                n = float(v)
+            except ValueError:
+                raise ValueError("Must be a number")
+            if n < 0.01 or n > 1.0:
+                raise ValueError("Must be between 0.01 and 1.0")
+        return v
+
+    @field_validator("outlier_min_sessions")
+    @classmethod
+    def validate_outlier_min_sessions(cls, v):
+        if v is not None:
+            try:
+                n = int(v)
+            except ValueError:
+                raise ValueError("Must be a number")
+            if n < 1 or n > 1000:
+                raise ValueError("Must be between 1 and 1000")
+        return v
+
 
 @app.post("/api/settings")
 async def save_settings(body: SettingsUpdate):
@@ -177,7 +252,8 @@ async def test_connection():
     except Unauthorized:
         return {"ok": False, "message": "Authentication failed — check your Plex Token"}
     except Exception as e:
-        return {"ok": False, "message": f"Connection failed: {e}"}
+        logger.error(f"Plex connection test failed: {e}")
+        return {"ok": False, "message": "Connection failed — check your Plex URL and network"}
 
 
 @app.get("/health")
diff --git a/app/static/index.html b/app/static/index.html
index 4365cd2..ba28de9 100644
--- a/app/static/index.html
+++ b/app/static/index.html
@@ -878,6 +878,17 @@
 <!-- Tooltip -->
 <div class="tooltip" id="tooltip"></div>
 
+<!-- Auth overlay -->
+<div id="auth-overlay" style="display:none;position:fixed;inset:0;z-index:9999;background:rgba(0,0,0,0.85);display:none;align-items:center;justify-content:center;">
+  <div style="background:var(--panel);border:1px solid var(--border);border-radius:8px;padding:32px;max-width:360px;width:90%;text-align:center;">
+    <div style="font-size:18px;font-weight:700;margin-bottom:8px;color:var(--bright);">PlexGeo</div>
+    <div style="color:var(--muted);margin-bottom:20px;font-size:13px;">Enter your API key to continue</div>
+    <input id="auth-input" type="password" placeholder="API Key" style="width:100%;padding:10px 12px;border-radius:4px;border:1px solid var(--border);background:var(--bg);color:var(--fg);font-family:inherit;font-size:14px;box-sizing:border-box;margin-bottom:12px;">
+    <div id="auth-error" style="color:#e50914;font-size:12px;margin-bottom:12px;display:none;">Invalid API key</div>
+    <button onclick="submitAuth()" style="width:100%;padding:10px;border-radius:4px;border:none;background:#e50914;color:#fff;font-family:inherit;font-size:14px;cursor:pointer;font-weight:600;">Login</button>
+  </div>
+</div>
+
 <script>
 // ── Theme toggle ─────────────────────────────────────────────────────────────
 function toggleTheme() {
@@ -902,6 +913,12 @@
 // ── Utility ─────────────────────────────────────────────────────────────────
 const $ = id => document.getElementById(id);
 const fmt = n => Number(n).toLocaleString();
+function esc(s) {
+  if (!s && s !== 0) return '';
+  const d = document.createElement('div');
+  d.textContent = String(s);
+  return d.innerHTML;
+}
 
 function countryFlag(code) {
   if (!code || code.length !== 2 || code === 'XX' || code === 'LO') return '🌐';
@@ -945,9 +962,37 @@
   worldCountries: null
 };
 
+// ── Auth ──────────────────────────────────────────────────────────────────────
+function getApiKey() { return sessionStorage.getItem('plexgeo-api-key') || ''; }
+
+function showAuthOverlay() {
+  const overlay = $('auth-overlay');
+  overlay.style.display = 'flex';
+  $('auth-input').focus();
+  $('auth-input').addEventListener('keydown', e => { if (e.key === 'Enter') submitAuth(); });
+}
+
+async function submitAuth() {
+  const key = $('auth-input').value.trim();
+  if (!key) return;
+  sessionStorage.setItem('plexgeo-api-key', key);
+  const r = await fetch('/api/stats', { headers: { 'Authorization': 'Bearer ' + key } });
+  if (r.status === 401) {
+    $('auth-error').style.display = 'block';
+    sessionStorage.removeItem('plexgeo-api-key');
+    return;
+  }
+  $('auth-overlay').style.display = 'none';
+  refresh();
+}
+
 // ── API ───────────────────────────────────────────────────────────────────────
-async function api(path) {
-  const r = await fetch(path);
+async function api(path, opts = {}) {
+  const key = getApiKey();
+  const headers = { ...(opts.headers || {}) };
+  if (key) headers['Authorization'] = 'Bearer ' + key;
+  const r = await fetch(path, { ...opts, headers });
+  if (r.status === 401) { showAuthOverlay(); throw new Error('Unauthorized'); }
   if (!r.ok) throw new Error(`HTTP ${r.status}`);
   return r.json();
 }
@@ -985,10 +1030,10 @@
   }
   el.innerHTML = state.alerts.slice(0, 20).map(a => `
     <div class="alert-item" data-id="${a.id}">
-      <button class="ack-btn" onclick="ackAlert(${a.id}, event)">ACK</button>
-      <div class="alert-user">${a.username}</div>
+      <button class="ack-btn" onclick="ackAlert(${parseInt(a.id)}, event)">ACK</button>
+      <div class="alert-user">${esc(a.username)}</div>
       <div class="alert-detail">
-        ${countryFlag(a.country_code)} <em>${a.country_name}</em> — usual: ${countryFlag(a.usual_country)} ${a.usual_country}
+        ${countryFlag(a.country_code)} <em>${esc(a.country_name)}</em> — usual: ${countryFlag(a.usual_country)} ${esc(a.usual_country)}
       </div>
       <div class="alert-time">${timeAgo(a.created_at)}</div>
     </div>
@@ -997,7 +1042,10 @@
 
 async function ackAlert(id, e) {
   e.stopPropagation();
-  await fetch(`/api/alerts/${id}/acknowledge`, { method: 'POST' });
+  const key = getApiKey();
+  const headers = {};
+  if (key) headers['Authorization'] = 'Bearer ' + key;
+  await fetch(`/api/alerts/${id}/acknowledge`, { method: 'POST', headers });
   await refresh();
 }
 
@@ -1010,10 +1058,10 @@
   }
   el.innerHTML = state.users.map(u => `
     <div class="user-item ${state.selectedUser === u.username ? 'active' : ''}"
-         onclick="selectUser('${u.username}')">
-      <div class="user-avatar">${u.username[0].toUpperCase()}</div>
+         onclick="selectUser(${JSON.stringify(u.username)})">
+      <div class="user-avatar">${esc(u.username[0]).toUpperCase()}</div>
       <div>
-        <div class="user-name">${u.username}</div>
+        <div class="user-name">${esc(u.username)}</div>
         <div class="user-meta">${u.total_sessions} sessions · ${u.country_count} countries</div>
       </div>
       ${u.currently_active ? '<div class="stream-badge">LIVE</div>' : ''}
@@ -1199,7 +1247,7 @@
       tooltip.style.display = 'block';
       tooltip.style.left = (event.clientX + 12) + 'px';
       tooltip.style.top = (event.clientY - 10) + 'px';
-      tooltip.textContent = `▶ ${d.username} — ${d.city || d.country_name} · ${d.media_title}`;
+      tooltip.textContent = `\u25b6 ${d.username} \u2014 ${d.city || d.country_name} \u00b7 ${d.media_title}`;
     })
     .on('mouseleave', () => { tooltip.style.display = 'none'; })
     .on('click', function(event, d) {
@@ -1222,28 +1270,28 @@
     <div class="dot-popup-row">
       <span class="dot-popup-label">User</span>
       <span class="dot-popup-val">
-        <a class="user-link" onclick="closeDotPopup();selectUser('${session.username}')">${session.username}</a>
+        <a class="user-link" onclick="closeDotPopup();selectUser(${JSON.stringify(session.username)})">${esc(session.username)}</a>
       </span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">Location</span>
-      <span class="dot-popup-val">${countryFlag(session.country_code)} ${session.city ? session.city + ', ' : ''}${session.country_name}</span>
+      <span class="dot-popup-val">${countryFlag(session.country_code)} ${session.city ? esc(session.city) + ', ' : ''}${esc(session.country_name)}</span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">IP Address</span>
-      <span class="dot-popup-val" style="color:var(--muted)">${session.ip_address}</span>
+      <span class="dot-popup-val" style="color:var(--muted)">${esc(session.ip_address)}</span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">Now Playing</span>
-      <span class="dot-popup-val" style="color:var(--bright)">${session.media_title || '—'}</span>
+      <span class="dot-popup-val" style="color:var(--bright)">${esc(session.media_title) || '—'}</span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">Type</span>
-      <span class="dot-popup-val">${session.media_type || '—'}</span>
+      <span class="dot-popup-val">${esc(session.media_type) || '—'}</span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">Platform</span>
-      <span class="dot-popup-val">${session.player_platform || '—'}</span>
+      <span class="dot-popup-val">${esc(session.player_platform) || '—'}</span>
     </div>
     <div class="dot-popup-row">
       <span class="dot-popup-label">Started</span>
@@ -1272,7 +1320,7 @@
   el.innerHTML = top.map(d => `
     <div class="country-bar-row">
       <div class="country-bar-flag">${countryFlag(d.code)}</div>
-      <div class="country-bar-name">${d.name}</div>
+      <div class="country-bar-name">${esc(d.name)}</div>
       <div class="country-bar-track"><div class="country-bar-fill" style="width:${Math.round((d.count/max)*100)}%"></div></div>
       <div class="country-bar-count">${fmt(d.count)}</div>
     </div>
@@ -1288,11 +1336,11 @@
     <div class="country-bar-row" style="flex-wrap:wrap;gap:6px;">
       <div class="country-bar-flag">${countryFlag(s.country_code)}</div>
       <div style="color:var(--bright);font-size:11px;flex:1;">
-        <a class="user-link" onclick="selectUser('${s.username}')">${s.username}</a>
-        <span style="color:var(--muted)"> · ${s.country_name}</span>
+        <a class="user-link" onclick="selectUser(${JSON.stringify(s.username)})">${esc(s.username)}</a>
+        <span style="color:var(--muted)"> · ${esc(s.country_name)}</span>
       </div>
       <div style="color:var(--muted);font-size:10px;width:100%;padding-left:30px;">
-        ${s.media_title || '—'} · ${s.player_platform || '—'}
+        ${esc(s.media_title) || '—'} · ${esc(s.player_platform) || '—'}
       </div>
     </div>
   `).join('');
@@ -1309,16 +1357,16 @@
   tbody.innerHTML = state.sessions.map(s => `
     <tr>
       <td><span class="badge ${s.is_active ? 'badge-active' : 'badge-ended'}">${s.is_active ? '● LIVE' : 'ended'}</span></td>
-      <td><a class="user-link" onclick="selectUser('${s.username}')">${s.username}</a></td>
+      <td><a class="user-link" onclick="selectUser(${JSON.stringify(s.username)})">${esc(s.username)}</a></td>
       <td class="flag-cell">
         ${s.country_code === 'LO'
           ? '<span class="badge badge-local">LOCAL</span>'
-          : `${countryFlag(s.country_code)} <span style="color:var(--bright)">${s.country_name}</span>`}
-        ${s.city ? `<div style="color:var(--muted);font-size:10px;">${s.city}</div>` : ''}
+          : `${countryFlag(s.country_code)} <span style="color:var(--bright)">${esc(s.country_name)}</span>`}
+        ${s.city ? `<div style="color:var(--muted);font-size:10px;">${esc(s.city)}</div>` : ''}
       </td>
-      <td class="ip-text">${s.ip_address}</td>
-      <td class="media-text">${s.media_title || '—'}<div style="color:var(--muted);font-size:10px;">${s.media_type || ''}</div></td>
-      <td style="color:var(--muted)">${s.player_platform || '—'}</td>
+      <td class="ip-text">${esc(s.ip_address)}</td>
+      <td class="media-text">${esc(s.media_title) || '—'}<div style="color:var(--muted);font-size:10px;">${esc(s.media_type) || ''}</div></td>
+      <td style="color:var(--muted)">${esc(s.player_platform) || '—'}</td>
       <td style="color:var(--muted)">${shortDate(s.started_at)}</td>
       <td style="color:var(--muted)">${timeAgo(s.last_seen)}</td>
     </tr>
@@ -1352,9 +1400,9 @@
 
   el.innerHTML = `
     <div class="user-detail-header">
-      <div class="user-detail-avatar">${username[0].toUpperCase()}</div>
+      <div class="user-detail-avatar">${esc(username[0]).toUpperCase()}</div>
       <div>
-        <div class="user-detail-name">${username}</div>
+        <div class="user-detail-name">${esc(username)}</div>
         <div class="user-detail-stats">
           <div class="user-detail-stat">Sessions: <span>${fmt(user?.total_sessions || 0)}</span></div>
           <div class="user-detail-stat">Countries: <span>${fmt(user?.country_count || 0)}</span></div>
@@ -1375,7 +1423,7 @@
           ${countries.map(c => `
             <div class="country-bar-row">
               <div class="country-bar-flag">${countryFlag(c.code)}</div>
-              <div class="country-bar-name">${c.name}</div>
+              <div class="country-bar-name">${esc(c.name)}</div>
               <div class="country-bar-track">
                 <div class="country-bar-fill" style="width:${Math.round((c.count/countries[0].count)*100)}%"></div>
               </div>
@@ -1401,10 +1449,10 @@
           <tbody>
             ${history.sessions.map(s => `
               <tr>
-                <td>${countryFlag(s.country_code)} ${s.country_name}${s.city ? `<div class="ip-text">${s.city}</div>` : ''}</td>
-                <td class="ip-text">${s.ip_address}</td>
-                <td class="media-text">${s.media_title || '—'}</td>
-                <td style="color:var(--muted)">${s.player_platform || '—'}</td>
+                <td>${countryFlag(s.country_code)} ${esc(s.country_name)}${s.city ? `<div class="ip-text">${esc(s.city)}</div>` : ''}</td>
+                <td class="ip-text">${esc(s.ip_address)}</td>
+                <td class="media-text">${esc(s.media_title) || '—'}</td>
+                <td style="color:var(--muted)">${esc(s.player_platform) || '—'}</td>
                 <td style="color:var(--muted)">${shortDate(s.started_at)}</td>
               </tr>
             `).join('') || '<tr><td colspan="5"><div class="empty">No sessions</div></td></tr>'}
@@ -1510,9 +1558,12 @@
   if (token) payload.plex_token = token;
 
   try {
+    const hdrs = { 'Content-Type': 'application/json' };
+    const key = getApiKey();
+    if (key) hdrs['Authorization'] = 'Bearer ' + key;
     const res = await fetch('/api/settings', {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: hdrs,
       body: JSON.stringify(payload),
     });
     const data = await res.json();
@@ -1541,7 +1592,10 @@
   result.className = '';
 
   try {
-    const res = await fetch('/api/settings/test', { method: 'POST' });
+    const thdrs = {};
+    const tkey = getApiKey();
+    if (tkey) thdrs['Authorization'] = 'Bearer ' + tkey;
+    const res = await fetch('/api/settings/test', { method: 'POST', headers: thdrs });
     const data = await res.json();
     result.textContent = data.message;
     result.className   = data.ok ? 'test-ok' : 'test-err';
diff --git a/docker-compose.yml b/docker-compose.yml
index 559ecf1..16f8b33 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,6 +14,8 @@ services:
       - OUTLIER_MIN_SESSIONS=${OUTLIER_MIN_SESSIONS:-5}
       # Generate with: openssl rand -base64 32
       - ENCRYPTION_KEY=${ENCRYPTION_KEY}
+      # Optional: set to require authentication on the dashboard
+      - API_KEY=${API_KEY:-}
     volumes:
       - plexgeo_data:/data
 
diff --git a/unraid/my-plexgeo.xml b/unraid/my-plexgeo.xml
index 8cea2ed..9b2b4bb 100644
--- a/unraid/my-plexgeo.xml
+++ b/unraid/my-plexgeo.xml
@@ -20,6 +20,7 @@
   <Config Name="Plex URL" Target="PLEX_URL" Default="" Type="Variable" Display="always" Required="true" Description="URL of your Plex server, e.g. http://192.168.1.50:32400"></Config>
   <Config Name="Plex Token" Target="PLEX_TOKEN" Default="" Type="Variable" Display="password" Required="true" Description="Your Plex authentication token (X-Plex-Token)"></Config>
   <Config Name="Encryption Key" Target="ENCRYPTION_KEY" Default="" Type="Variable" Display="password" Required="true" Description="Encryption key for sensitive settings. Generate with: openssl rand -base64 32"></Config>
+  <Config Name="API Key" Target="API_KEY" Default="" Type="Variable" Display="password" Required="false" Description="Optional. If set, the dashboard requires this key to access."></Config>
   <Config Name="Poll Interval" Target="POLL_INTERVAL" Default="30" Type="Variable" Display="always" Description="Seconds between Plex polls">30</Config>
   <Config Name="Outlier Threshold" Target="OUTLIER_THRESHOLD" Default="0.10" Type="Variable" Display="always" Description="A country must account for less than this fraction of sessions to be flagged">0.10</Config>
   <Config Name="Outlier Min Sessions" Target="OUTLIER_MIN_SESSIONS" Default="5" Type="Variable" Display="always" Description="Minimum sessions before outlier detection kicks in">5</Config>