diff --git a/app/cmd/server.go b/app/cmd/server.go
index 0d3dd15..2679271 100644
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@@ -177,6 +177,7 @@ type serverConfigOutboundEntry struct {
 
 type serverConfigTrafficStats struct {
 	Listen string `mapstructure:"listen"`
+	Secret string `mapstructure:"secret"`
 }
 
 type serverConfigMasqueradeFile struct {
@@ -596,7 +597,7 @@ func (c *serverConfig) fillEventLogger(hyConfig *server.Config) error {
 
 func (c *serverConfig) fillTrafficLogger(hyConfig *server.Config) error {
 	if c.TrafficStats.Listen != "" {
-		tss := trafficlogger.NewTrafficStatsServer()
+		tss := trafficlogger.NewTrafficStatsServer(c.TrafficStats.Secret)
 		hyConfig.TrafficLogger = tss
 		go runTrafficStatsServer(c.TrafficStats.Listen, tss)
 	}
diff --git a/app/cmd/server_test.go b/app/cmd/server_test.go
index 30b088b..8eaafff 100644
--- a/app/cmd/server_test.go
+++ b/app/cmd/server_test.go
@@ -135,6 +135,7 @@ func TestServerConfig(t *testing.T) {
 		},
 		TrafficStats: serverConfigTrafficStats{
 			Listen: ":9999",
+			Secret: "its_me_mario",
 		},
 		Masquerade: serverConfigMasquerade{
 			Type: "proxy",
diff --git a/app/cmd/server_test.yaml b/app/cmd/server_test.yaml
index fa5418b..77a791c 100644
--- a/app/cmd/server_test.yaml
+++ b/app/cmd/server_test.yaml
@@ -100,6 +100,7 @@ outbounds:
 
 trafficStats:
   listen: :9999
+  secret: its_me_mario
 
 masquerade:
   type: proxy
diff --git a/extras/trafficlogger/http.go b/extras/trafficlogger/http.go
index bd22a0d..428dd94 100644
--- a/extras/trafficlogger/http.go
+++ b/extras/trafficlogger/http.go
@@ -20,10 +20,11 @@ type TrafficStatsServer interface {
 	http.Handler
 }
 
-func NewTrafficStatsServer() TrafficStatsServer {
+func NewTrafficStatsServer(secret string) TrafficStatsServer {
 	return &trafficStatsServerImpl{
 		StatsMap: make(map[string]*trafficStatsEntry),
 		KickMap:  make(map[string]struct{}),
+		Secret:   secret,
 	}
 }
 
@@ -31,6 +32,7 @@ type trafficStatsServerImpl struct {
 	Mutex    sync.RWMutex
 	StatsMap map[string]*trafficStatsEntry
 	KickMap  map[string]struct{}
+	Secret   string
 }
 
 type trafficStatsEntry struct {
@@ -60,6 +62,10 @@ func (s *trafficStatsServerImpl) Log(id string, tx, rx uint64) (ok bool) {
 }
 
 func (s *trafficStatsServerImpl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if s.Secret != "" && r.Header.Get("Authorization") != s.Secret {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
 	if r.Method == http.MethodGet && r.URL.Path == "/" {
 		_, _ = w.Write([]byte(indexHTML))
 		return