diff --git a/fe/http.go b/fe/http.go
index 9f3be78b1c4b7a2baa46b02e11debb0e25724a67..d204401c18b958340a1c272d263bf0a1f4305243 100644
--- a/fe/http.go
+++ b/fe/http.go
@@ -27,6 +27,9 @@ import (
 var (
 	proxyStreams = flag.Bool("enable-icecast-proxy", false, "Proxy the local icecast")
 
+	disableDebug  = flag.Bool("disable-debug", false, "Disable /debug/ URLs")
+	restrictDebug = flag.Bool("restrict-debug", true, "Restrict access to /debug/ URLs to localhost")
+
 	httpStatusCodes   = instrumentation.NewCounter("http.status")
 	httpTargetStats   = instrumentation.NewCounter("http.target")
 	sourceConnections = instrumentation.NewCounter("http.source_connections")
@@ -366,6 +369,16 @@ func (h *HttpRedirector) serveStatusPage(w http.ResponseWriter, r *http.Request)
 	w.Write(buf.Bytes())
 }
 
+func withLocalhost(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if ip := net.ParseIP(r.RemoteAddr); !ip.IsLoopback() {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
 func (h *HttpRedirector) createHandler() http.Handler {
 	// Create our HTTP handler stack.
 	mux := http.NewServeMux()
@@ -379,13 +392,19 @@ func (h *HttpRedirector) createHandler() http.Handler {
 				http.FileServer(http.Dir(h.staticDir))),
 			nil))
 
-	// Pass /debug/ to the default ServeMux, all the default debug
-	// handlers are installed there. Add a debug handler for the
-	// LoadBalancer data. Gzip the responses.
-	debugMux := http.NewServeMux()
-	debugMux.Handle("/debug/lbv2", h.lb)
-	debugMux.Handle("/", http.DefaultServeMux)
-	mux.Handle("/debug/", handlers.GZIPHandler(debugMux, nil))
+	if !*disableDebug {
+		// Pass /debug/ to the default ServeMux, all the default debug
+		// handlers are installed there. Add a debug handler for the
+		// LoadBalancer data. Gzip the responses.
+		debugMux := http.NewServeMux()
+		debugMux.Handle("/debug/lbv2", h.lb)
+		debugMux.Handle("/", http.DefaultServeMux)
+		var h http.Handler = handlers.GZIPHandler(debugMux, nil)
+		if *restrictDebug {
+			h = withLocalhost(h)
+		}
+		mux.Handle("/debug/", h)
+	}
 
 	// Optionally enable a reverse proxy to the local Icecast for
 	// the direct stream URLs (below IcecastMountPrefix).