diff --git a/.env.default b/.env.default
index 689a02b..df136ef 100644
--- a/.env.default
+++ b/.env.default
@@ -12,4 +12,5 @@ HOST_PORTAINER=portainer
 HOST_MAIL=mail
 # other
 TZ=Europe/Paris
+BASIC_AUTH=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
 
diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
index 8c98d0b..65de3f0 100644
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@@ -7,7 +7,8 @@ services:
     command:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=false      
-      - --api.insecure # Don't do that in production
+      - --api=true
+      - --api.statistics=true
       - --entrypoints.web.address=:80      
       - --entrypoints.websecure.address=:443
       - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}
@@ -22,16 +23,16 @@ services:
       - GANDIV5_API_KEY=${GANDIV5_API_KEY}
     labels: 
       - traefik.enable=true
-      - traefik.http.routers.dashboard.rule=Host(`${HOST_TRAEFIK}.${DOMAIN}`)
-      - traefik.http.routers.dashboard.entrypoints=web
-      - traefik.http.routers.dashboard.entrypoints=websecure
-      - traefik.http.routers.dashboard.service=api@internal      
-      #- traefik.http.routers.dashboard.tls=true
-      - traefik.http.routers.dashboard.tls.certresolver=letsencrypt
-      - traefik.http.routers.dashboard.tls.domains[0].main=${DOMAIN}
-      - traefik.http.routers.dashboard.tls.domains[0].sans=*.${DOMAIN}         
-      #- traefik.http.services.dashboard.loadbalancer.server.port=8080
-#      - traefik.http.routers.dashboard.middlewares=redirect-to-https
+      - traefik.http.routers.api.rule=Host(`${HOST_TRAEFIK}.${DOMAIN}`)
+      - traefik.http.routers.api.entrypoints=web
+      - traefik.http.routers.api.entrypoints=websecure
+      - traefik.http.routers.api.service=api@internal   
+      - traefik.http.routers.api.middlewares=auth
+      - traefik.http.middlewares.auth.basicauth.users=${BASIC_AUTH}
+      # request widlcard certificate
+      - traefik.http.routers.api.tls.certresolver=letsencrypt
+      - traefik.http.routers.api.tls.domains[0].main=${DOMAIN}
+      - traefik.http.routers.api.tls.domains[0].sans=*.${DOMAIN}
       # global redirect to https
       - traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)
       - traefik.http.routers.http-catchall.entrypoints=web