diff --git a/http.go b/http.go
index c0ef87f..0a61980 100644
--- a/http.go
+++ b/http.go
@@ -5,14 +5,15 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"errors"
-	"github.com/ginuerzh/pht"
-	"github.com/golang/glog"
-	"golang.org/x/net/http2"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"time"
+
+	"github.com/ginuerzh/pht"
+	"github.com/golang/glog"
+	"golang.org/x/net/http2"
 )
 
 type HttpServer struct {
@@ -75,6 +76,11 @@ func (s *HttpServer) HandleRequest(req *http.Request) {
 		return
 	}
 
+	if !s.Base.Node.Can("tcp", req.Host) {
+		glog.Errorf("Unauthorized to tcp connect to %s", req.Host)
+		return
+	}
+
 	c, err := s.Base.Chain.Dial(req.Host)
 	if err != nil {
 		glog.V(LWARNING).Infof("[http] %s -> %s : %s", s.conn.RemoteAddr(), req.Host, err)
@@ -184,6 +190,11 @@ func (s *Http2Server) HandleRequest(w http.ResponseWriter, req *http.Request) {
 
 	w.Header().Set("Proxy-Agent", "gost/"+Version)
 
+	if !s.Base.Node.Can("tcp", target) {
+		glog.Errorf("Unauthorized to tcp connect to %s", target)
+		return
+	}
+
 	// HTTP2 as transport
 	if req.Header.Get("Proxy-Switch") == "gost" {
 		conn, err := s.Upgrade(w, req)