diff --git a/cmd/web/handlers_guestbook.go b/cmd/web/handlers_guestbook.go
index 1295114..ce531b2 100644
--- a/cmd/web/handlers_guestbook.go
+++ b/cmd/web/handlers_guestbook.go
@@ -257,6 +257,11 @@ func (app *application) postGuestbookCommentCreateRemote(w http.ResponseWriter,
 		return
 	}
 
+	if normalizeUrl(r.Header.Get("Origin")) != normalizeUrl(website.SiteUrl) {
+		app.clientError(w, http.StatusForbidden)
+		return
+	}
+
 	if !website.Guestbook.CanComment() {
 		app.clientError(w, http.StatusForbidden)
 		return
diff --git a/cmd/web/helpers.go b/cmd/web/helpers.go
index 7d927d1..3060325 100644
--- a/cmd/web/helpers.go
+++ b/cmd/web/helpers.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"runtime/debug"
 	"strconv"
+	"strings"
 	"time"
 
 	"git.32bit.cafe/32bitcafe/guestbook/internal/models"
@@ -127,3 +128,12 @@ func (app *application) durationToTime(duration string) (time.Time, error) {
 	result = time.Now().UTC().Add(offset)
 	return result, nil
 }
+
+func normalizeUrl(url string) string {
+	r, f := strings.CutPrefix(url, "http://")
+	if f {
+		return r
+	}
+	r, _ = strings.CutPrefix(url, "https://")
+	return r
+}