diff --git a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java
index 6b3a0a68e..d418e177e 100644
--- a/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java
+++ b/src/main/java/org/patinanetwork/codebloom/api/auth/AuthController.java
@@ -258,6 +258,13 @@ public ResponseEntity<ApiResponder<Empty>> enrollSchool(
             })
     @GetMapping("/school/verify")
     public RedirectView verifySchoolEmail(final HttpServletRequest request) {
+        String referer = request.getHeader("Referer");
+        String allowedOrigin = serverUrlUtils.getUrl();
+
+        if (referer == null || !referer.startsWith(allowedOrigin)) {
+            return new RedirectView("/settings?success=false&message=Invalid request origin");
+        }
+
         AuthenticationObject authenticationObject;
         Session session;
         User user;