diff --git a/.env.sample b/.env.sample
index 7155dba..b015413 100644
--- a/.env.sample
+++ b/.env.sample
@@ -18,6 +18,10 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
 
+## Set to true to block unregistered users from accessing any CryptPad applications
+## See https://docs.cryptpad.org/en/admin_guide/customization.html#restricting-guest-access
+#RESTRICT_GUEST_ACCESS=false
+
 ## SSO / OIDC (optional — uncomment below and add compose.sso.yml to COMPOSE_FILE to enable)
 # COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
 #SSO_ENABLED=true
diff --git a/abra.sh b/abra.sh
index f7c1f33..69ea8ac 100644
--- a/abra.sh
+++ b/abra.sh
@@ -3,3 +3,4 @@ export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
 export SSO_ENTRYPOINT_VERSION=v6
 export SSO_JS_VERSION=v3
+export APPLICATION_CONFIG_VERSION=v3
diff --git a/application_config.js.tmpl b/application_config.js.tmpl
new file mode 100644
index 0000000..0a3698b
--- /dev/null
+++ b/application_config.js.tmpl
@@ -0,0 +1,24 @@
+// CryptPad application customization — generated from environment variables
+// See https://docs.cryptpad.org/en/admin_guide/customization.html
+// For default file, see: https://github.com/cryptpad/cryptpad/blob/main/customize.dist/application_config.js
+
+(() => {
+const factory = (AppConfig) => {
+    {{ if eq (env "RESTRICT_GUEST_ACCESS") "true" }}
+    // Block unregistered users from accessing any applications
+    AppConfig.registeredOnlyTypes = AppConfig.availablePadTypes.slice();
+    {{ end }}
+
+    return AppConfig;
+};
+
+// Do not change code below
+if (typeof(module) !== 'undefined' && module.exports) {
+    module.exports = factory(
+        require('../www/common/application_config_internal.js')
+    );
+} else if ((typeof(define) !== 'undefined' && define !== null) && (define.amd !== null)) {
+    define(['/common/application_config_internal.js'], factory);
+}
+
+})();
diff --git a/compose.yml b/compose.yml
index 62309ce..2c8bf5d 100644
--- a/compose.yml
+++ b/compose.yml
@@ -16,6 +16,7 @@ services:
       - "CPAD_HTTP2_DISABLE=true"
       - "CPAD_TRUST_PROXY=1"
       - "CPAD_CONF=/cryptpad/config/config.js"
+      - "RESTRICT_GUEST_ACCESS=${RESTRICT_GUEST_ACCESS:-false}"
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -26,6 +27,8 @@ services:
     configs:
       - source: config_js
         target: /cryptpad/config/config.js
+      - source: application_config_js
+        target: /cryptpad/customize/application_config.js
 
     deploy:
       restart_policy:
@@ -86,3 +89,7 @@ configs:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
     file: nginx.conf.tmpl
     template_driver: golang
+  application_config_js:
+    name: ${STACK_NAME}_application_config_js_${APPLICATION_CONFIG_VERSION}
+    file: application_config.js.tmpl
+    template_driver: golang