diff --git a/server/src/plugins/ip-gate.js b/server/src/plugins/ip-gate.js
new file mode 100644
index 0000000..c69e6ba
--- /dev/null
+++ b/server/src/plugins/ip-gate.js
@@ -0,0 +1,95 @@
+const EXCLUDED_PATHS = [
+  '/api/auth/oauth/vk/callback',
+  '/api/auth/oauth/yandex/callback',
+  '/api/webhooks/yookassa',
+  '/api/admin/notifications/telegram/webhook',
+]
+
+function build403Html(ip) {
+  const safeIp = ip || 'не определён'
+  return `<!DOCTYPE html>
+<html lang="ru">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Любимый Креатив — Доступ запрещён</title>
+<style>
+  * { margin: 0; padding: 0; box-sizing: border-box }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background: #faf8f5;
+    color: #3d322b;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+    padding: 24px;
+  }
+  .card {
+    max-width: 520px;
+    width: 100%;
+    background: #fff;
+    border: 1px solid #e8e0d8;
+    border-radius: 16px;
+    padding: 48px 40px;
+    text-align: center;
+    box-shadow: 0 2px 16px rgb(0 0 0 / 4%);
+  }
+  .card h1 {
+    font-size: 24px;
+    font-weight: 600;
+    letter-spacing: -0.3px;
+    color: #4a3a2e;
+    margin-bottom: 8px;
+  }
+  .card .tagline {
+    font-size: 14px;
+    color: #8c8177;
+    margin-bottom: 32px;
+    line-height: 1.5;
+  }
+  .card .status {
+    font-size: 16px;
+    color: #6b5e52;
+    margin-bottom: 24px;
+    line-height: 1.6;
+  }
+  .card .ip {
+    font-size: 12px;
+    color: #b8a99b;
+    font-family: 'SF Mono', 'Cascadia Code', 'Fira Code', monospace;
+  }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Любимый Креатив</h1>
+  <p class="tagline">Изделия ручной работы: вещи с характером и вниманием к деталям</p>
+  <p class="status">Сайт находится в разработке<br>и скоро будет доступен</p>
+  <p class="ip">Ваш IP: ${safeIp}</p>
+</div>
+</body>
+</html>`
+}
+
+export async function registerIpGate(fastify) {
+  fastify.addHook('onRequest', async (request, reply) => {
+    const allowed = process.env.SITE_ACCESS_IPS
+    if (!allowed) return
+
+    const allowedIps = allowed
+      .split(',')
+      .map((s) => s.trim())
+      .filter(Boolean)
+
+    if (allowedIps.length === 0) return
+
+    const urlPath = request.url.split('?')[0]
+
+    if (EXCLUDED_PATHS.includes(urlPath)) return
+
+    if (allowedIps.includes(request.ip)) return
+
+    return reply.code(403).type('text/html').send(build403Html(request.ip))
+  })
+}