diff --git a/cmd/cake_crm/main.go b/cmd/cake_crm/main.go
index 805a4d8..f4d3853 100644
--- a/cmd/cake_crm/main.go
+++ b/cmd/cake_crm/main.go
@@ -1,22 +1,24 @@
 package main
 
 import (
-	"cake_crm/internal/app"
-	"cake_crm/internal/modules/messenger/telegram"
-	"cake_crm/internal/modules/storage/storage_file"
-	"cake_crm/internal/services/cart"
-	"cake_crm/internal/services/order"
-	proto "cake_crm/proto"
 	"context"
-	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials/insecure"
 	"log"
 	"net"
 	"net/http"
 	"os"
 	"strconv"
 	"strings"
+
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"cake_crm/internal/app"
+	"cake_crm/internal/modules/messenger/telegram"
+	"cake_crm/internal/modules/storage/storage_file"
+	"cake_crm/internal/services/cart"
+	"cake_crm/internal/services/order"
+	proto "cake_crm/proto"
 )
 
 func main() {
@@ -102,6 +104,12 @@ func main() {
 
 func cors(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ua := r.Header.Get("User-Agent")
+		if !strings.HasPrefix(ua, "crabs") {
+			w.WriteHeader(403)
+			return
+		}
+		
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PATCH, DELETE")
 		w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, Authorization, ResponseType")
diff --git a/internal/services/cart/cart.http b/internal/services/cart/cart.http
new file mode 100644
index 0000000..472e0cd
--- /dev/null
+++ b/internal/services/cart/cart.http
@@ -0,0 +1,9 @@
+POST http://0.0.0.0:8090/cart
+User-Agent: crabs/1.0.0
+
+[
+    {
+        "productId": 1,
+        "count": 20
+    }
+]