diff --git a/opentech/settings/production.py b/opentech/settings/production.py
index aa320c10e9bd24af0f6ea7804b67e207098c657d..c038b7b46ce0060e0d4c4610ac1c30bc1f9db8a1 100644
--- a/opentech/settings/production.py
+++ b/opentech/settings/production.py
@@ -144,6 +144,21 @@ if 'LOG_DIR' in env:
     LOGGING['loggers']['django.request']['handlers'].append('errors_file')
     LOGGING['loggers']['django.security']['handlers'].append('errors_file')
 
+# Basic auth to stop access to other than primary hosts.
+
+MIDDLEWARE += [
+    'baipw.middleware.BasicAuthIPWhitelistMiddleware'
+]
+
+if 'BASIC_AUTH_LOGIN' in env:
+    BASIC_AUTH_LOGIN = env['BASIC_AUTH_LOGIN']
+
+if 'BASIC_AUTH_PASSWORD' in env:
+    BASIC_AUTH_PASSWORD = env['BASIC_AUTH_PASSWORD']
+
+if 'BASIC_AUTH_WHITELISTED_HTTP_HOSTS' in env:
+    BASIC_AUTH_WHITELISTED_HTTP_HOSTS = env['BASIC_AUTH_WHITELISTED_HTTP_HOSTS'].split(',')
+
 django_heroku.settings(locals())
 
 try:
diff --git a/requirements.txt b/requirements.txt
index 55895a5978f117e8ea2020c15532b656393ea5c4..187e76e359f7931a8b315ae32b6a33207233f46b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -29,6 +29,7 @@ django_select2==6.0.1
 
 # Production dependencies
 dj-database-url==0.5.0
+django-basic-auth-ip-whitelist==0.2.1
 django-heroku==0.3.1
 whitenoise==3.3.1
 gunicorn==19.9.0