diff --git a/channel/channel-server-app/pom.xml b/channel/channel-server-app/pom.xml
index 2c3c8effa..3403f7715 100644
--- a/channel/channel-server-app/pom.xml
+++ b/channel/channel-server-app/pom.xml
@@ -45,6 +45,11 @@
             <artifactId>arthas-channel-server-starter</artifactId>
             <version>${project.version}</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/channel/channel-server-app/src/main/java/com/alibaba/arthas/channel/server/WebSecurityConfig.java b/channel/channel-server-app/src/main/java/com/alibaba/arthas/channel/server/WebSecurityConfig.java
new file mode 100644
index 000000000..c79d82b13
--- /dev/null
+++ b/channel/channel-server-app/src/main/java/com/alibaba/arthas/channel/server/WebSecurityConfig.java
@@ -0,0 +1,43 @@
+package com.alibaba.arthas.channel.server;
+
+import com.alibaba.arthas.channel.server.autoconfigure.ChannelServerProperties;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.util.StringUtils;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    private ChannelServerProperties channelServerProperties;
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        String username = channelServerProperties.getAuth().getUsername();
+        if (StringUtils.hasText(username)) {
+            auth.inMemoryAuthentication()
+                    //.passwordEncoder(new BCryptPasswordEncoder())
+                    .passwordEncoder(NoOpPasswordEncoder.getInstance()) // CHANGE IT for production
+                    .withUser(username)
+                    .password(channelServerProperties.getAuth().getPassword())
+                    .roles("USER");
+        }
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        String username = channelServerProperties.getAuth().getUsername();
+        if (StringUtils.hasText(username)) {
+            http.csrf().disable().authorizeRequests()
+                    .anyRequest().authenticated()
+                    .and()
+                    .httpBasic();
+        }
+    }
+}
\ No newline at end of file
diff --git a/channel/channel-server-app/src/main/resources/application.properties b/channel/channel-server-app/src/main/resources/application.properties
index fd855a3c7..a02d6d6f9 100755
--- a/channel/channel-server-app/src/main/resources/application.properties
+++ b/channel/channel-server-app/src/main/resources/application.properties
@@ -22,6 +22,9 @@ arthas.channel.server.message-exchange.topic-survival-time-mills=60000
 arthas.channel.server.message-exchange.topic-capacity=1000
 
 
+# auth
+#arthas.channel.server.auth.username=arthas
+#arthas.channel.server.auth.password=arthas
 
 # for all endpoints
 management.endpoints.web.exposure.include=*
diff --git a/channel/channel-server-starter/src/main/java/com/alibaba/arthas/channel/server/autoconfigure/ChannelServerProperties.java b/channel/channel-server-starter/src/main/java/com/alibaba/arthas/channel/server/autoconfigure/ChannelServerProperties.java
index e97f425fb..d1f84f36c 100644
--- a/channel/channel-server-starter/src/main/java/com/alibaba/arthas/channel/server/autoconfigure/ChannelServerProperties.java
+++ b/channel/channel-server-starter/src/main/java/com/alibaba/arthas/channel/server/autoconfigure/ChannelServerProperties.java
@@ -12,6 +12,8 @@ public class ChannelServerProperties {
 
     private AgentCleaner agentCleaner = new AgentCleaner();
 
+    private Auth auth = new Auth();
+
     public Server getWebsocket() {
         return websocket;
     }
@@ -44,6 +46,14 @@ public class ChannelServerProperties {
         this.messageExchange = messageExchange;
     }
 
+    public Auth getAuth() {
+        return auth;
+    }
+
+    public void setAuth(Auth auth) {
+        this.auth = auth;
+    }
+
     public static class Server {
         private String host;
         private int port;
@@ -158,4 +168,24 @@ public class ChannelServerProperties {
         }
     }
 
+    public static class Auth {
+        private String username;
+        private String password;
+
+        public String getUsername() {
+            return username;
+        }
+
+        public void setUsername(String username) {
+            this.username = username;
+        }
+
+        public String getPassword() {
+            return password;
+        }
+
+        public void setPassword(String password) {
+            this.password = password;
+        }
+    }
 }