diff --git a/app/config.go b/app/config.go
index 69313ae..b10b0fd 100644
--- a/app/config.go
+++ b/app/config.go
@@ -12,15 +12,16 @@ import (
 
 // Config represents the configuration of the server application.
 type Config struct {
-	Address string
-	Port    string
-	Prefix  string
-	Dir     string
-	TLS     *TLS
-	Log     Logging
-	Realm   string
-	Users   map[string]*UserInfo
-	Cors    Cors
+	Address  string
+	Port     string
+	Prefix   string
+	Dir      string
+	TLS      *TLS
+	Log      Logging
+	Realm    string
+	Users    map[string]*UserInfo
+	Cors     Cors
+	Readonly bool
 }
 
 // Logging allows definition for logging each CRUD method.
diff --git a/app/fs.go b/app/fs.go
index de39e67..a3ce4f2 100644
--- a/app/fs.go
+++ b/app/fs.go
@@ -55,6 +55,10 @@ func (d Dir) resolve(ctx context.Context, name string) string {
 
 // Mkdir resolves the physical file and delegates this to an os.Mkdir execution
 func (d Dir) Mkdir(ctx context.Context, name string, perm os.FileMode) error {
+	if d.Config.Readonly {
+		return os.ErrPermission
+	}
+
 	if name = d.resolve(ctx, name); name == "" {
 		return os.ErrNotExist
 	}
@@ -78,6 +82,12 @@ func (d Dir) OpenFile(ctx context.Context, name string, flag int, perm os.FileMo
 	if name = d.resolve(ctx, name); name == "" {
 		return nil, os.ErrNotExist
 	}
+
+	// open the file read-only
+	if d.Config.Readonly {
+		flag = os.O_RDONLY
+	}
+
 	f, err := os.OpenFile(name, flag, perm)
 	if err != nil {
 		return nil, err
@@ -95,6 +105,10 @@ func (d Dir) OpenFile(ctx context.Context, name string, flag int, perm os.FileMo
 
 // RemoveAll resolves the physical file and delegates this to an os.RemoveAll execution
 func (d Dir) RemoveAll(ctx context.Context, name string) error {
+	if d.Config.Readonly {
+		return os.ErrPermission
+	}
+
 	if name = d.resolve(ctx, name); name == "" {
 		return os.ErrNotExist
 	}
@@ -120,6 +134,10 @@ func (d Dir) RemoveAll(ctx context.Context, name string) error {
 
 // Rename resolves the physical file and delegates this to an os.Rename execution
 func (d Dir) Rename(ctx context.Context, oldName, newName string) error {
+	if d.Config.Readonly {
+		return os.ErrPermission
+	}
+
 	if oldName = d.resolve(ctx, oldName); oldName == "" {
 		return os.ErrNotExist
 	}
diff --git a/examples/config-sample.yaml b/examples/config-sample.yaml
index c7701fa..416a035 100644
--- a/examples/config-sample.yaml
+++ b/examples/config-sample.yaml
@@ -69,3 +69,8 @@ users:
 #
 #cors:
 #  origin: '*'
+
+# ---------------------------- Readonly ------------------------------
+# Access control, only read operations are allowed.
+#
+readonly: true