diff --git a/app.py b/app.py
index 7691aaa..1fc193e 100644
--- a/app.py
+++ b/app.py
@@ -1,4 +1,4 @@
-from flask import Flask, request, session, redirect, url_for, render_template, jsonify
+from flask import Flask, request, session, redirect, url_for, render_template, jsonify, abort
 from werkzeug.security import generate_password_hash, check_password_hash
 from cryptography.fernet import Fernet
 import os
@@ -45,6 +45,18 @@ def get_key_for_user(user, password):
     key = hashlib.pbkdf2_hmac("sha256", password.encode(), salt + user.encode(), 100_000)
     return base64.urlsafe_b64encode(key[:32])
 
+banned_user_agent_patterns = [
+    re.compile(r'curl/\d+\.\d+(\.\d+)?'),
+    re.compile(r'python-requests/\d+\.\d+(\.\d+)?'),
+]
+
+@app.before_request
+def block_banned_user_agents():
+    ua = request.headers.get("User-Agent", "")
+    for pattern in banned_user_agent_patterns:
+        if pattern.search(ua):
+            abort(403)
+
 
 # === ROUTES ===