diff --git a/README.md b/README.md
index 3bc3b67..b8e743d 100644
--- a/README.md
+++ b/README.md
@@ -27,12 +27,15 @@ openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem \
     -days 3650 -nodes -subj "/CN=example.com"
 ```
 
-3. Run the server. The command line arguments are `agate <addr:port> <content_dir> <cert_file> <key_file>`.  For example, to listen on the standard Gemini port (1965) on all interfaces:
+3. Run the server. The command line arguments are `agate <addr:port> <content_dir> <cert_file> <key_file> [<domain>]`.  For example, to listen on the standard Gemini port (1965) on all interfaces:
 
 ```
 agate 0.0.0.0:1965 path/to/content/ cert.pem key.rsa
 ```
 
+Agate will check that the port part of the requested URL matches the port specified in the 1st argument.
+If `<domain>` is specified, agate will also check that the host part of the requested URL matches this domain.
+
 When a client requests the URL `gemini://example.com/foo/bar`, Agate will respond with the file at `path/to/content/foo/bar`.  If there is a directory at that path, Agate will look for a file named `index.gmi` inside that directory.
 
 Optionally, set a log level via the `AGATE_LOG` environment variable. Logging is powered by the [env_logger crate](https://crates.io/crates/env_logger):
diff --git a/src/main.rs b/src/main.rs
index 4029c84..03ff624 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -25,7 +25,7 @@ fn main() -> Result {
 type Result<T=()> = std::result::Result<T, Box<dyn Error + Send + Sync>>;
 
 static ARGS: Lazy<Args> = Lazy::new(|| args().unwrap_or_else(|| {
-    eprintln!("usage: agate <addr:port> <dir> <cert> <key>");
+    eprintln!("usage: agate <addr:port> <dir> <cert> <key> [<domain to check>]");
     std::process::exit(1);
 }));
 
@@ -34,6 +34,7 @@ struct Args {
     content_dir: String,
     cert_file: String,
     key_file: String,
+    domain: Option<String>,
 }
 
 fn args() -> Option<Args> {
@@ -43,6 +44,7 @@ fn args() -> Option<Args> {
         content_dir: args.next()?,
         cert_file: args.next()?,
         key_file: args.next()?,
+        domain: args.next(),
     })
 }
 
@@ -108,9 +110,15 @@ async fn parse_request<R: Read + Unpin>(stream: &mut R) -> Result<Url> {
         Url::parse(request)?
     };
 
-    // Validate the URL. TODO: Check the hostname and port.
+    // Validate the URL, host and port.
     if url.scheme() != "gemini" {
+        // FIXME: This should return a 53 status code.
         Err("unsupported URL scheme")?
+    } else if ARGS.domain.as_ref().map_or(false, |domain| url.host().map_or(false, |host| &host.to_string() != domain)) {
+        // FIXME: This should return a 53 status code.
+        Err("proxy request refused")?
+    } else if url.port().map_or(false, |port| port != ARGS.sock_addr.rsplitn(2, ':').next().unwrap().parse().unwrap()) {
+        Err("port did not match")?
     }
     log::info!("Got request for {:?}", url);
     Ok(url)