diff --git a/src/app/login/page.tsx b/src/app/login/page.tsx
index 40d7e0d..071c30a 100644
--- a/src/app/login/page.tsx
+++ b/src/app/login/page.tsx
@@ -6,10 +6,27 @@ import { auth, signIn } from "@/src/auth";
 
 type LoginPageProps = {
   searchParams?: Promise<{
+    callbackUrl?: string;
     error?: string;
   }>;
 };
 
+function getSafeRedirectTo(value: FormDataEntryValue | null): string {
+  const raw = String(value ?? "/");
+
+  if (raw.startsWith("/") && !raw.startsWith("//")) {
+    return raw;
+  }
+
+  try {
+    const parsed = new URL(raw);
+
+    return `${parsed.pathname}${parsed.search}${parsed.hash}`;
+  } catch {
+    return "/";
+  }
+}
+
 async function login(formData: FormData) {
   "use server";
 
@@ -24,7 +41,7 @@ async function login(formData: FormData) {
     await signIn("credentials", {
       identifier,
       password: formData.get("password"),
-      redirectTo: "/",
+      redirectTo: getSafeRedirectTo(formData.get("callbackUrl")),
     });
   } catch (error) {
     if (error instanceof AuthError) {
@@ -81,6 +98,12 @@ export default async function LoginPage({ searchParams }: LoginPageProps) {
           ) : null}
 
           <form action={login} className="space-y-4">
+            <input
+              type="hidden"
+              name="callbackUrl"
+              value={params?.callbackUrl ?? "/"}
+            />
+
             <label className="block">
               <span className="text-sm font-medium text-zinc-700">Utente o email</span>
               <input
diff --git a/src/proxy.ts b/src/proxy.ts
new file mode 100644
index 0000000..e3711cb
--- /dev/null
+++ b/src/proxy.ts
@@ -0,0 +1,27 @@
+import { NextResponse } from "next/server";
+
+import { auth } from "@/src/auth";
+
+export default auth((request) => {
+  const isLoggedIn = Boolean(request.auth);
+  const isLoginPage = request.nextUrl.pathname === "/login";
+
+  if (!isLoggedIn && !isLoginPage) {
+    const loginUrl = new URL("/login", request.nextUrl);
+    loginUrl.searchParams.set("callbackUrl", request.nextUrl.href);
+
+    return NextResponse.redirect(loginUrl);
+  }
+
+  if (isLoggedIn && isLoginPage) {
+    return NextResponse.redirect(new URL("/", request.nextUrl));
+  }
+
+  return NextResponse.next();
+});
+
+export const config = {
+  matcher: [
+    "/((?!api/auth|_next/static|_next/image|favicon.ico|images|.*\\..*).*)",
+  ],
+};