diff --git a/README.md b/README.md
index 6143846..934ad7a 100644
--- a/README.md
+++ b/README.md
@@ -6,3 +6,13 @@ Linux ipset management
 ```shell
 xh GET 0:2688/ipset x-ssrf-token:token
 ```
+
+```shell
+curl -H 'x-ssrf-token: SSRF' 0:2688/ipset/allowipset/ips | jq .
+{
+  "ips": [
+    "36.28.*.*",
+    "36.20.*.*"
+  ]
+}
+```
diff --git a/justfile b/justfile
new file mode 100644
index 0000000..bbc8040
--- /dev/null
+++ b/justfile
@@ -0,0 +1,5 @@
+_:
+  @just --list
+
+build-linux-x64-musl:
+  cargo zigbuild --release --target x86_64-unknown-linux-musl
diff --git a/src/main.rs b/src/main.rs
index 7586f1b..c2fb9a4 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -11,6 +11,7 @@ use serde_json::json;
 use std::{env, process};
 use tokio::net::TcpListener;
 
+const DEFAULT_PORT: u16 = 8343;
 const SSRF_TOKEN: &str = "SSRF_TOKEN";
 
 mod ipset;
@@ -46,7 +47,7 @@ async fn inner_main() -> XResult<()> {
         .route("/ipset/{ipset}/ips/{ip}", post(delete_ipset_ips)) // --
         .route("/ipset/{ipset}/ips", post(post_ipset_ips));
 
-    let listen_addr = format!("127.0.0.1:{}", args.port.unwrap_or(2688));
+    let listen_addr = format!("127.0.0.1:{}", args.port.unwrap_or(DEFAULT_PORT));
     let listener = TcpListener::bind(&listen_addr).await.unwrap();
     axum::serve(listener, app).await.unwrap();
     Ok(())
@@ -124,7 +125,11 @@ async fn get_ipset_ips(
 }
 
 // DELETE /ipset/{}/ips/{}
-async fn delete_ipset_ips(Path(params): Path<IpsetIpParams>) -> impl IntoResponse {
+async fn delete_ipset_ips(
+    header_map: HeaderMap<HeaderValue>,
+    Path(params): Path<IpsetIpParams>,
+) -> impl IntoResponse {
+    check_header_ssrf_token!(header_map);
     let ipset = get_value_or_bad_request!(IpSet::new(&params.ipset));
     get_value_or_bad_request!(ipset.del(&params.ip));
     (StatusCode::OK, Json(json!({})))
@@ -132,9 +137,11 @@ async fn delete_ipset_ips(Path(params): Path<IpsetIpParams>) -> impl IntoRespons
 
 // POST /ipset/{}/ips with parameter: ip=?
 async fn post_ipset_ips(
+    header_map: HeaderMap<HeaderValue>,
     Path(params): Path<IpsetParams>,
     Form(request): Form<PostIpsetIpsRequest>,
 ) -> impl IntoResponse {
+    check_header_ssrf_token!(header_map);
     let ipset = get_value_or_bad_request!(IpSet::new(&params.ipset));
     get_value_or_bad_request!(ipset.add(&request.ip));
     (StatusCode::OK, Json(json!({})))