diff --git a/.env.example b/.env.example
index cea10bd..70e5cca 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,6 @@
 DATABASE_URI=sqlite://./database.db
 ADMIN_USER=admin
 ADMIN_PASSWORD=admin
+REPORT_SECRET=
 PUBLIC_START_DATE=2023-12-26T00:00:00+0200
 PUBLIC_BASE_PATH=
diff --git a/README.md b/README.md
index 0207f9a..43a0a83 100644
--- a/README.md
+++ b/README.md
@@ -29,12 +29,13 @@ $ node -r dotenv/config build/index.js
 
 Configurations can be done with env variables
 
-| Name                | Description                                                                                                                                         |
-| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `HOST`              | Host the server should listen on                                                                                                                    |
-| `PORT`              | Port the server should listen on                                                                                                                    |
-| `DATABASE_URI`      | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/) |
-| `ADMIN_USER`        | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set                                          |
-| `ADMIN_PASSWORD`    | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set             |
-| `PUBLIC_BASE_PATH`  | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location                               |
-| `PUBLIC_START_DATE` | The start date when the event starts                                                                                                                |
+| Name                | Description                                                                                                                                                                  |
+| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `HOST`              | Host the server should listen on                                                                                                                                             |
+| `PORT`              | Port the server should listen on                                                                                                                                             |
+| `DATABASE_URI`      | URI to the database as a connection string. Supported databases are [sqlite](https://www.sqlite.org/index.html) and [mariadb](https://mariadb.org/)                          |
+| `ADMIN_USER`        | Name for the root admin user. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set                                                                   |
+| `ADMIN_PASSWORD`    | Password for the root admin user defined via `ADMIN_USER`. The admin user won't be available if `ADMIN_USER` or `ADMIN_PASSWORD` is set                                      |
+| `REPORT_SECRET`     | Secret which may be required (as `?secret=<secret>` query parameter) to create reports on the public endpoint. Isn't required to be in the request if this variable is empty |
+| `PUBLIC_BASE_PATH`  | If running the website on a sub-path, set this variable to the path so that assets etc. can find the correct location                                                        |
+| `PUBLIC_START_DATE` | The start date when the event starts                                                                                                                                         |
diff --git a/src/routes/report/+server.ts b/src/routes/report/+server.ts
index e72f9c6..6357cd4 100644
--- a/src/routes/report/+server.ts
+++ b/src/routes/report/+server.ts
@@ -1,9 +1,12 @@
 import type { RequestHandler } from '@sveltejs/kit';
 import { Report, User } from '$lib/server/database';
 import * as crypto from 'crypto';
-import { env } from '$env/dynamic/public';
+import { env } from '$env/dynamic/private';
 
 export const POST = (async ({ request, url }) => {
+	if (env.REPORT_SECRET && url.searchParams.get('secret') !== env.REPORT_SECRET)
+		return new Response(null, { status: 401 });
+
 	const data: { reporter: string; reported: string; reason: string } = await request.json();
 
 	if (data.reporter == null || data.reported == null || data.reason == null)