diff --git a/src/main/kotlin/fi/oph/kitu/WebSecurityConfig.kt b/src/main/kotlin/fi/oph/kitu/WebSecurityConfig.kt
new file mode 100644
index 00000000..3f90f3d1
--- /dev/null
+++ b/src/main/kotlin/fi/oph/kitu/WebSecurityConfig.kt
@@ -0,0 +1,26 @@
+package fi.oph.kitu
+
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.security.config.Customizer
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.web.SecurityFilterChain
+
+@Configuration
+@EnableWebSecurity
+class WebSecurityConfig {
+    @Bean
+    fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+        http
+            .csrf { csrf -> csrf.ignoringRequestMatchers("/api/*") }
+            .authorizeHttpRequests { authorize ->
+                authorize
+                    .anyRequest()
+                    .authenticated()
+            }.httpBasic(Customizer.withDefaults())
+            .formLogin(Customizer.withDefaults())
+
+        return http.build()
+    }
+}
diff --git a/src/main/kotlin/fi/oph/kitu/oppija/OppijaController.kt b/src/main/kotlin/fi/oph/kitu/oppija/OppijaController.kt
index 5ee44f3a..83ffdabe 100644
--- a/src/main/kotlin/fi/oph/kitu/oppija/OppijaController.kt
+++ b/src/main/kotlin/fi/oph/kitu/oppija/OppijaController.kt
@@ -11,10 +11,10 @@ class OppijaController {
     @Autowired
     private lateinit var oppijaService: OppijaService
 
-    @GetMapping("/oppija")
+    @GetMapping("/api/oppija")
     fun getOppijat(): Iterable<Oppija> = oppijaService.getAll()
 
-    @PostMapping("/oppija")
+    @PostMapping("/api/oppija")
     fun addOppija(
         @RequestBody name: String,
     ) = oppijaService.insert(name)
diff --git a/src/test/kotlin/fi/oph/kitu/oppija/OppijaTests.kt b/src/test/kotlin/fi/oph/kitu/oppija/OppijaTests.kt
index ea89894e..38b07c42 100644
--- a/src/test/kotlin/fi/oph/kitu/oppija/OppijaTests.kt
+++ b/src/test/kotlin/fi/oph/kitu/oppija/OppijaTests.kt
@@ -24,7 +24,7 @@ class OppijaTests(
     fun `get oppija`() {
         client
             .get()
-            .uri("/oppija")
+            .uri("/api/oppija")
             .accept(MediaType.APPLICATION_JSON)
             .exchange()
             .expectStatus()
@@ -37,7 +37,7 @@ class OppijaTests(
     fun `post oppija`() {
         client
             .post()
-            .uri("/oppija")
+            .uri("/api/oppija")
             .bodyValue("Mikko Mallikas")
             .exchange()
             .expectStatus()