diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 817b5a1e..6aa96e1c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,3 +1,18 @@
 class ApplicationController < ActionController::Base
   default_form_builder(GOVUKDesignSystemFormBuilder::FormBuilder)
+
+  before_action :authenticate
+
+  def authenticate
+    valid_credentials = [
+      {
+        username: ENV.fetch("SUPPORT_USERNAME", "support"),
+        password: ENV.fetch("SUPPORT_PASSWORD", "support"),
+      },
+    ]
+
+    authenticate_or_request_with_http_basic do |username, password|
+      valid_credentials.include?({ username:, password: })
+    end
+  end
 end
diff --git a/spec/requests/pages_spec.rb b/spec/requests/pages_spec.rb
index 26f12927..a4cdc515 100644
--- a/spec/requests/pages_spec.rb
+++ b/spec/requests/pages_spec.rb
@@ -2,9 +2,23 @@
 
 RSpec.describe "Pages", type: :request do
   describe "GET /home" do
-    it "returns http success" do
+    it "requires authentication" do
       get "/"
-      expect(response).to have_http_status(:success)
+      expect(response).to have_http_status(:unauthorized)
+    end
+
+    context "with valid basic auth credentials" do
+      let(:credentials) do
+        ActionController::HttpAuthentication::Basic.encode_credentials(
+          ENV.fetch("SUPPORT_USERNAME", "support"),
+          ENV.fetch("SUPPORT_PASSWORD", "support")
+        )
+      end
+
+      it "returns http success" do
+        get "/", env: { "HTTP_AUTHORIZATION" => credentials }
+        expect(response).to have_http_status(:success)
+      end
     end
   end
 end