diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php
--- a/src/app/Http/Kernel.php
+++ b/src/app/Http/Kernel.php
@@ -71,6 +71,7 @@
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'scopes' => \Laravel\Passport\Http\Middleware\CheckScopes::class,
         'scope' => \Laravel\Passport\Http\Middleware\CheckForAnyScope::class,
+        'allowedHosts' => \App\Http\Middleware\AllowedHosts::class,
     ];
 
     /**
diff --git a/src/app/Http/Middleware/AllowedHosts.php b/src/app/Http/Middleware/AllowedHosts.php
new file mode 100644
--- /dev/null
+++ b/src/app/Http/Middleware/AllowedHosts.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class AllowedHosts
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @param array|string             $hosts
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $allowedDomains = \config('app.services_allowed_domains');
+        if (!in_array(request()->getHost(), $allowedDomains)) {
+            return abort(404);
+        }
+        return $next($request);
+    }
+}
diff --git a/src/config/app.php b/src/config/app.php
--- a/src/config/app.php
+++ b/src/config/app.php
@@ -85,10 +85,17 @@
 
     'website_domain' => env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld')),
 
-    'services_domain' => env(
-        'APP_SERVICES_DOMAIN',
-        "services." . env('APP_WEBSITE_DOMAIN', env('APP_DOMAIN', 'domain.tld'))
-    ),
+    // Restrict over which domains the services paths can be accessed.
+    'services_allowed_domains' => explode(',', env(
+        'APP_SERVICES_ALLOWED_DOMAINS',
+        "webapp,kolab," . env(
+            'APP_SERVICES_DOMAIN',
+            "services." . env(
+                'APP_WEBSITE_DOMAIN',
+                env('APP_DOMAIN', 'domain.tld')
+            )
+        )
+    )),
 
     /*
     |--------------------------------------------------------------------------
diff --git a/src/routes/api.php b/src/routes/api.php
--- a/src/routes/api.php
+++ b/src/routes/api.php
@@ -207,7 +207,7 @@
 if (\config('app.with_services')) {
     Route::group(
         [
-            'domain' => \config('app.services_domain'),
+            'middleware' => ['allowedHosts'],
             'prefix' => 'webhooks'
         ],
         function () {