diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php
index dbc296b..3d684a0 100644
--- a/src/Controller/UsersController.php
+++ b/src/Controller/UsersController.php
@@ -311,6 +311,9 @@ class UsersController extends AppController
         if (empty(Configure::read('security.registration.self-registration'))) {
             throw new UnauthorizedException(__('User self-registration is not open.'));
         }
+        if (!empty(Configure::read('security.registration.floodProtection'))) {
+            $this->FloodProtection->check('register');
+        }
         if ($this->request->is('post')) {
             $data = $this->request->getData();
             $this->InboxProcessors = TableRegistry::getTableLocator()->get('InboxProcessors');
@@ -327,6 +330,9 @@ class UsersController extends AppController
                 ],
             ];
             $processorResult = $processor->create($data);
+            if (!empty(Configure::read('security.registration.floodProtection'))) {
+                $this->FloodProtection->set('register');
+            }
             return $processor->genHTTPReply($this, $processorResult, ['controller' => 'Inbox', 'action' => 'index']);
         }
         $this->viewBuilder()->setLayout('login');
diff --git a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
index e5e6f6a..330e589 100644
--- a/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
+++ b/src/Model/Table/SettingProviders/CerebrateSettingsProvider.php
@@ -274,6 +274,21 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                 ]
             ],
             'Security' => [
+                'Logging' => [
+                    'Logging' => [
+                        'security.logging.ip_source' => [
+                            'name' => __('Set IP source'),
+                            'type' => 'select',
+                            'description' => __('Select where the harvested IP should come from. This defaults to REMOTE_ADDR, but for instances behind a proxy HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP might make more sense.'),
+                            'default' => 'REMOTE_ADDR',
+                            'options' => [
+                                'REMOTE_ADDR' => 'REMOTE_ADDR',
+                                'HTTP_X_FORWARDED_FOR' => 'HTTP_X_FORWARDED_FOR',
+                                'HTTP_CLIENT_IP' => __('HTTP_CLIENT_IP'),
+                            ],
+                        ],
+                    ]
+                ],
                 'Registration' => [
                     'Registration' => [
                         'security.registration.self-registration' => [
@@ -282,6 +297,12 @@ class CerebrateSettingsProvider extends BaseSettingsProvider
                             'description' => __('Enable the self-registration feature where user can request account creation. Admin can view the request and accept it in the application inbox.'),
                             'default' => false,
                         ],
+                        'security.registration.floodProtection' => [
+                            'name' => __('Enable registration flood-protection'),
+                            'type' => 'boolean',
+                            'description' => __('Enabling this setting will only allow 5 registrations / IP address every 15 minutes (rolling time-frame).'),
+                            'default' => false,
+                        ],
                     ]
                 ],
                 'Development' => [