diff --git a/cmd.c b/cmd.c
index 76bf2b5..3c240ac 100644
--- a/cmd.c
+++ b/cmd.c
@@ -65,7 +65,7 @@ cmd_authorized(struct cmd *cmd, struct conf *cfg, struct evhttp_request *rq) {
 	/* go through permissions */
 	for(a = cfg->perms; a; a = a->next) {
 
-		if(!acl_match(a, &client_addr)) continue; /* match client */
+		if(!acl_match(a, rq, &client_addr)) continue; /* match client */
 
 		/* go through authorized commands */
 		for(i = 0; i < a->enabled.count; ++i) {
diff --git a/conf.c b/conf.c
index d42972b..62d16cb 100644
--- a/conf.c
+++ b/conf.c
@@ -5,6 +5,7 @@
 #include <arpa/inet.h>
 
 #include <jansson.h>
+#include <evhttp.h>
 #include <libb64/cencode.h>
 #include "conf.h"
 
@@ -174,15 +175,21 @@ conf_parse_acls(json_t *jtab) {
 }
 
 int
-acl_match(struct acl *a, in_addr_t *ip) {
-
-	/* TODO: add HTTP Basic Auth */
+acl_match(struct acl *a, struct evhttp_request *rq, in_addr_t *ip) {
+
+	/* check HTTP Basic Auth */
+	const char *auth;
+	auth = evhttp_find_header(rq->input_headers, "Authorization");
+	if(auth && a->http_basic_auth && strncasecmp(auth, "Basic ", 6) == 0) { /* sent auth */
+		if(strcmp(auth + 6, a->http_basic_auth) != 0) { /* wrong */
+			return 0;
+		}
+	}
 
+	/* CIDR check. */
 	if(a->cidr.enabled == 0) { /* none given, all match */
 		return 1;
 	}
-
-	/* CIDR check. */
 	if(((*ip) & a->cidr.mask) == (a->cidr.subnet & a->cidr.mask)) {
 		return 1;
 	}
diff --git a/conf.h b/conf.h
index 428758f..0ae7219 100644
--- a/conf.h
+++ b/conf.h
@@ -3,6 +3,8 @@
 
 #include <netinet/in.h>
 
+struct evhttp_request;
+
 struct acl_commands {
 	unsigned int count;
 	char **commands;
@@ -45,6 +47,6 @@ void
 conf_free(struct conf *conf);
 
 int
-acl_match(struct acl *a, in_addr_t *ip);
+acl_match(struct acl *a, struct evhttp_request *rq, in_addr_t *ip);
 
 #endif /* CONF_H */