diff --git a/config/packages/security.php b/config/packages/security.php
index 78584166..5e26d69c 100644
--- a/config/packages/security.php
+++ b/config/packages/security.php
@@ -72,6 +72,10 @@
         ->accessControl()
         ->path('^/resetPassword$')
         ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/command.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
 
     $security
         ->accessControl()
diff --git a/src/Controller/CommandController.php b/src/Controller/CommandController.php
index 9ec2504d..a88939dc 100644
--- a/src/Controller/CommandController.php
+++ b/src/Controller/CommandController.php
@@ -3,10 +3,12 @@
 namespace BikeShare\Controller;
 
 use BikeShare\App\Kernel;
+use Psr\Log\LoggerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\Annotation\Route;
 
 class CommandController extends AbstractController
 {
@@ -21,10 +23,19 @@ public function __construct(Kernel $kernel)
      * @Route("/command.php", name="command")
      */
     public function index(
-        Request $request
+        Request $request,
+        LoggerInterface $logger
     ): Response {
         $kernel = $this->kernel;
 
+        if (is_null($this->getUser())) {
+            $logger->notice('Access to command.php without authentication', [
+                'ip' => $request->getClientIp(),
+                'uri' => $request->getRequestUri(),
+                'request' => $request->request->all(),
+            ]);
+        }
+
         ob_start();
         require_once $this->getParameter('kernel.project_dir') . '/command.php';
         $content = ob_get_clean();