diff --git a/src/main/java/org/qortal/api/Security.java b/src/main/java/org/qortal/api/Security.java
index 09c98988..4aca2c49 100644
--- a/src/main/java/org/qortal/api/Security.java
+++ b/src/main/java/org/qortal/api/Security.java
@@ -64,6 +64,19 @@ public abstract class Security {
 		}
 	}
 
+	public static void disallowLoopbackRequestsIfAuthBypassEnabled(HttpServletRequest request) {
+		if (Settings.getInstance().isLocalAuthBypassEnabled()) {
+			try {
+				InetAddress remoteAddr = InetAddress.getByName(request.getRemoteAddr());
+				if (remoteAddr.isLoopbackAddress()) {
+					throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Local requests not allowed when localAuthBypassEnabled is enabled in settings");
+				}
+			} catch (UnknownHostException e) {
+				throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.UNAUTHORIZED);
+			}
+		}
+	}
+
 	public static void requirePriorAuthorization(HttpServletRequest request, String resourceId, Service service, String identifier) {
 		ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, identifier);
 		if (!ArbitraryDataRenderManager.getInstance().isAuthorized(resource)) {
diff --git a/src/main/java/org/qortal/api/resource/RenderResource.java b/src/main/java/org/qortal/api/resource/RenderResource.java
index 49743159..97411e54 100644
--- a/src/main/java/org/qortal/api/resource/RenderResource.java
+++ b/src/main/java/org/qortal/api/resource/RenderResource.java
@@ -100,6 +100,7 @@ public class RenderResource {
     @SecurityRequirement(name = "apiKey")
     public boolean authorizeResource(@HeaderParam(Security.API_KEY_HEADER) String apiKey, @PathParam("resourceId") String resourceId) {
         Security.checkApiCallAllowed(request);
+        Security.disallowLoopbackRequestsIfAuthBypassEnabled(request);
         ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, null, null);
         ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource);
         return true;
@@ -112,6 +113,7 @@ public class RenderResource {
                                      @PathParam("service") Service service,
                                      @PathParam("resourceId") String resourceId) {
         Security.checkApiCallAllowed(request);
+        Security.disallowLoopbackRequestsIfAuthBypassEnabled(request);
         ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, null);
         ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource);
         return true;
@@ -125,6 +127,7 @@ public class RenderResource {
                                      @PathParam("resourceId") String resourceId,
                                      @PathParam("identifier") String identifier) {
         Security.checkApiCallAllowed(request);
+        Security.disallowLoopbackRequestsIfAuthBypassEnabled(request);
         ArbitraryDataResource resource = new ArbitraryDataResource(resourceId, null, service, identifier);
         ArbitraryDataRenderManager.getInstance().addToAuthorizedResources(resource);
         return true;