diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
new file mode 100644
index 0000000..9360754
--- /dev/null
+++ b/apps/web/src/middleware.ts
@@ -0,0 +1,17 @@
+import { NextRequest, NextResponse } from "next/server";
+
+export function middleware(req: NextRequest) {
+  const path = req.nextUrl.pathname;
+
+  // Block all /api/* except the read-only SSE and health endpoints.
+  // Mutations happen via Server Actions which post to page URLs, not /api/*.
+  if (path.startsWith("/api/") && path !== "/api/events" && path !== "/api/health") {
+    return new NextResponse("Not Found", { status: 404 });
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|icon-).*)"],
+};