diff --git a/src/main/kotlin/com/example/Application.kt b/src/main/kotlin/com/example/Application.kt
index 0931b77..5b84164 100644
--- a/src/main/kotlin/com/example/Application.kt
+++ b/src/main/kotlin/com/example/Application.kt
@@ -5,6 +5,7 @@ import com.example.config.configureDependencyInjection
 import com.example.config.configureHttp
 import com.example.config.configureLogging
 import com.example.config.configureRouting
+import com.example.config.configureSecurity
 import com.example.config.configureSerialization
 import com.example.config.configureSession
 import io.ktor.server.application.*
@@ -18,6 +19,7 @@ fun Application.module() {
     configureDependencyInjection()
     configureHttp()
     configureSession()
+    configureSecurity()
     configureSerialization()
     configureRouting()
     configureLogging()
diff --git a/src/main/kotlin/com/example/config/Routing.kt b/src/main/kotlin/com/example/config/Routing.kt
index 507a580..d8d3e10 100644
--- a/src/main/kotlin/com/example/config/Routing.kt
+++ b/src/main/kotlin/com/example/config/Routing.kt
@@ -7,6 +7,8 @@ import com.example.shared.dto.OrderDto
 import com.example.shared.dto.UserDto
 import io.ktor.http.*
 import io.ktor.server.application.*
+import io.ktor.server.auth.*
+import io.ktor.server.http.content.*
 import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
@@ -20,41 +22,39 @@ fun Application.configureRouting() {
     val loginService by inject<LoginService>()
 
     routing {
-        get("/") {
-            call.respondText("Hello World!")
-        }
-
         route("/api") {
             get("/menus") {
                 val list = menuService.findAll()
                 call.respond(list)
             }
-            post("/orders") {
-                val request = call.receive<OrderDto.CreateRequest>()
-                val selectedMenu = menuService.getMenu(request.menuId)
-                val order = OrderDto.DisplayResponse(
-                    orderCode = "ordercode1",
-                    menuName = selectedMenu.name,
-                    customerName = "홍길동",
-                    price = selectedMenu.price,
-                    status = CafeOrderStatus.READY,
-                    orderedAt = LocalDateTime.now(),
-                    id = 1
-                )
-                call.respond(order)
-            }
-            get("/orders/{orderCode}") {
-                val orderCode = call.parameters["orderCode"]!!
-                val order = OrderDto.DisplayResponse(
-                    orderCode = orderCode,
-                    menuName = "아이스라떼",
-                    customerName = "홍길동",
-                    price = 1000,
-                    status = CafeOrderStatus.READY,
-                    orderedAt = LocalDateTime.now(),
-                    id = 1
-                )
-                call.respond(order)
+            authenticate(AuthenticatedUser.CUSTOMER_REQUIRED) {
+                post("/orders") {
+                    val request = call.receive<OrderDto.CreateRequest>()
+                    val selectedMenu = menuService.getMenu(request.menuId)
+                    val order = OrderDto.DisplayResponse(
+                        orderCode = "ordercode1",
+                        menuName = selectedMenu.name,
+                        customerName = "홍길동",
+                        price = selectedMenu.price,
+                        status = CafeOrderStatus.READY,
+                        orderedAt = LocalDateTime.now(),
+                        id = 1
+                    )
+                    call.respond(order.orderCode)
+                }
+                get("/orders/{orderCode}") {
+                    val orderCode = call.parameters["orderCode"]!!
+                    val order = OrderDto.DisplayResponse(
+                        orderCode = orderCode,
+                        menuName = "아이스라떼",
+                        customerName = "홍길동",
+                        price = 1000,
+                        status = CafeOrderStatus.READY,
+                        orderedAt = LocalDateTime.now(),
+                        id = 1
+                    )
+                    call.respond(order)
+                }
             }
 
             get("/me") {
@@ -78,5 +78,9 @@ fun Application.configureRouting() {
                 call.respond(HttpStatusCode.OK)
             }
         }
+
+        singlePageApplication {
+            react("frontend")
+        }
     }
 }
diff --git a/src/main/kotlin/com/example/config/Security.kt b/src/main/kotlin/com/example/config/Security.kt
new file mode 100644
index 0000000..45a2485
--- /dev/null
+++ b/src/main/kotlin/com/example/config/Security.kt
@@ -0,0 +1,23 @@
+package com.example.config
+
+import com.example.shared.CafeUserRole
+import com.example.config.AuthenticatedUser.Companion.CUSTOMER_REQUIRED
+import io.ktor.http.*
+import io.ktor.server.application.*
+import io.ktor.server.auth.*
+import io.ktor.server.response.*
+
+fun Application.configureSecurity() {
+    install(Authentication) {
+        session<AuthenticatedUser>(CUSTOMER_REQUIRED) {
+            validate { session: AuthenticatedUser ->
+                session.takeIf { it.userRoles.contains(CafeUserRole.CUSTOMER) }
+            }
+            challenge {
+                call.respond(HttpStatusCode.Forbidden, "only for customer");
+            }
+        }
+    }
+}
+
+fun ApplicationCall.authenticatedUser(): AuthenticatedUser = authentication.principal<AuthenticatedUser>()!!
\ No newline at end of file
diff --git a/src/main/kotlin/com/example/config/Session.kt b/src/main/kotlin/com/example/config/Session.kt
index 5642109..a9d01cd 100644
--- a/src/main/kotlin/com/example/config/Session.kt
+++ b/src/main/kotlin/com/example/config/Session.kt
@@ -3,6 +3,7 @@ package com.example.config
 
 import com.example.shared.CafeUserRole
 import io.ktor.server.application.*
+import io.ktor.server.auth.*
 import io.ktor.server.sessions.*
 import kotlinx.serialization.Serializable
 
@@ -18,10 +19,11 @@ fun Application.configureSession() {
 data class AuthenticatedUser(
     val userId: Long,
     val userRoles: List<CafeUserRole>
-) {
+): Principal {
     companion object {
         fun none() = AuthenticatedUser(0, listOf())
 
         const val SESSION_NAME = "CU_SESSION_ID"
+        const val CUSTOMER_REQUIRED = "customer-required"
     }
 }