diff --git a/surfsense_backend/.env.example b/surfsense_backend/.env.example
index fe1055c57..3ddfdd652 100644
--- a/surfsense_backend/.env.example
+++ b/surfsense_backend/.env.example
@@ -9,6 +9,7 @@ NEXT_FRONTEND_URL=http://localhost:3000
 
 # Auth
 AUTH_TYPE=GOOGLE or LOCAL
+REGISTRATION_ENABLED= TRUE or FALSE
 # For Google Auth Only
 GOOGLE_OAUTH_CLIENT_ID=924507538m
 GOOGLE_OAUTH_CLIENT_SECRET=GOCSV
diff --git a/surfsense_backend/app/app.py b/surfsense_backend/app/app.py
index 17f908247..1998f663f 100644
--- a/surfsense_backend/app/app.py
+++ b/surfsense_backend/app/app.py
@@ -1,6 +1,6 @@
 from contextlib import asynccontextmanager
 
-from fastapi import Depends, FastAPI
+from fastapi import Depends, FastAPI, HTTPException, status
 from fastapi.middleware.cors import CORSMiddleware
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -17,6 +17,10 @@ async def lifespan(app: FastAPI):
     await create_db_and_tables()
     yield
 
+def registration_allowed():
+    if not config.REGISTRATION_ENABLED:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Registration is disabled")
+    return True
 
 app = FastAPI(lifespan=lifespan)
 
@@ -36,6 +40,7 @@ app.include_router(
     fastapi_users.get_register_router(UserRead, UserCreate),
     prefix="/auth",
     tags=["auth"],
+    dependencies=[Depends(registration_allowed)],  # blocks registration when disabled
 )
 app.include_router(
     fastapi_users.get_reset_password_router(),
@@ -62,6 +67,7 @@ if config.AUTH_TYPE == "GOOGLE":
         ),
         prefix="/auth/google",
         tags=["auth"],
+        dependencies=[Depends(registration_allowed)],  # blocks OAuth registration when disabled
     )
 
 app.include_router(crud_router, prefix="/api/v1", tags=["crud"])
diff --git a/surfsense_backend/app/config/__init__.py b/surfsense_backend/app/config/__init__.py
index acd1017e4..6e894542b 100644
--- a/surfsense_backend/app/config/__init__.py
+++ b/surfsense_backend/app/config/__init__.py
@@ -43,6 +43,7 @@ class Config:
 
     # Auth
     AUTH_TYPE = os.getenv("AUTH_TYPE")
+    REGISTRATION_ENABLED = os.getenv("REGISTRATION_ENABLED", "TRUE").upper() == "TRUE"
 
     # Google OAuth
     GOOGLE_OAUTH_CLIENT_ID = os.getenv("GOOGLE_OAUTH_CLIENT_ID")
diff --git a/surfsense_web/app/(home)/register/page.tsx b/surfsense_web/app/(home)/register/page.tsx
index 303d9a378..58641e2a1 100644
--- a/surfsense_web/app/(home)/register/page.tsx
+++ b/surfsense_web/app/(home)/register/page.tsx
@@ -64,6 +64,20 @@ export default function RegisterPage() {
 
 			const data = await response.json();
 
+			if (!response.ok && response.status === 403) {
+                const friendlyMessage =
+                    "Registrations are currently closed. If you need access, contact your administrator.";
+                setErrorTitle("Registration is disabled");
+                setError(friendlyMessage);
+                toast.error("Registration is disabled", {
+                    id: loadingToast,
+                    description: friendlyMessage,
+                    duration: 6000,
+                });
+                setIsLoading(false);
+                return;
+            }
+
 			if (!response.ok) {
 				throw new Error(data.detail || `HTTP ${response.status}`);
 			}