diff --git a/src/backend/routes/harness.ts b/src/backend/routes/harness.ts
index f29a7e2..da77085 100644
--- a/src/backend/routes/harness.ts
+++ b/src/backend/routes/harness.ts
@@ -28,6 +28,17 @@ type GitCommitSummary = {
   relative: string;
 };
 
+function requireLocalhost(req: any, res: any, next: any) {
+  const ip = req.ip || (req.socket && req.socket.remoteAddress) || '';
+  // Normalize IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1)
+  const normalizedIp = ip.replace(/^::ffff:/, '');
+
+  if (normalizedIp !== '127.0.0.1' && normalizedIp !== '::1') {
+    return res.status(403).json({ success: false, error: 'Forbidden: Access to harness routes is restricted to localhost.' });
+  }
+  next();
+}
+
 function safeReadJson<T>(path: string): T | null {
   try {
     if (!existsSync(path)) return null;
@@ -77,6 +88,7 @@ function getLastCommit(projectRoot: string): GitCommitSummary | null {
 
 export function createHarnessRoutes(projectRoot = process.cwd()): Router {
   const router = Router();
+  router.use(requireLocalhost);
 
   router.get('/status', (_req, res) => {
     try {