diff --git a/TODO.md b/TODO.md
index 41ebbeb..0e2c85b 100644
--- a/TODO.md
+++ b/TODO.md
@@ -14,7 +14,7 @@
 [x] Create a `GET /login` endpoint that returns a simple HTML login form (username and password fields).
 [x] Add a rouille::session manager to set a session cookie.
 [x] Create a `POST /login` endpoint that validates credentials against USERNAME and PASSWORD environment variables.
-[ ] Protect write endpoints (POST /projects, and any future write operations) with authentication. Redirect to /login if not authenticated.
+[x] Protect write endpoints (POST /projects, and any future write operations) with authentication. Redirect to /login if not authenticated.
 [ ] Add a login button to the front page (GET /projects) that links to /login.
 [ ] When logged in, show a "Create Project" button on the front page that links to /new-project.
 [ ] When logged in, add an edit icon to each project-card web component. Clicking the icon opens a dialog with a form to update the progress percentage and archive/unarchive the project.
diff --git a/src/main.rs b/src/main.rs
index 3b9c33d..1c4c59a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -35,16 +35,35 @@ fn main() {
                     rouille::Response::from_data("application/javascript", js.as_ref())
                 },
                 (GET) ["/projects"] => display_projects(),
-                (GET) ["/new-project"] => new_project_form(),
+                (GET) ["/new-project"] => {
+                    if is_authenticated(session, &authenticated_sessions) {
+                        new_project_form()
+                    } else {
+                        rouille::Response::redirect_302("/login")
+                    }
+                },
                 (GET) ["/login"] => login_form(),
                 (POST) ["/login"] => handle_login(request, session, &authenticated_sessions),
-                (POST) ["/projects"] => create_project(request),
+                (POST) ["/projects"] => {
+                    if is_authenticated(session, &authenticated_sessions) {
+                        create_project(request)
+                    } else {
+                        rouille::Response::redirect_302("/login")
+                    }
+                },
                 _ => rouille::Response::empty_404()
             )
         })
     });
 }
 
+fn is_authenticated(session: &session::Session, authenticated_sessions: &Mutex<HashSet<String>>) -> bool {
+    authenticated_sessions
+        .lock()
+        .map(|sessions| sessions.contains(session.id()))
+        .unwrap_or(false)
+}
+
 fn display_projects() -> rouille::Response {
     let projects = db::list_all_projects().unwrap_or_default();