diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml
index 0f6d4dc..ec7a949 100644
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -331,7 +331,12 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`dist.flowercore.io`)
+    # Method allowlist: Host + (GET || HEAD). Anything else misses every
+    # route and Traefik returns 404 before reaching the pod — edge-level
+    # defense-in-depth over the controller's strict-mode entitlement check.
+    # Together these block admin ops (POST /blobs, POST /manifests*) from
+    # ever being processed on the public surface.
+    - match: Host(`dist.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
       kind: Rule
       middlewares:
         - name: dist-public-profile-header