diff --git a/src/PowderCoating.Web/Controllers/KioskController.cs b/src/PowderCoating.Web/Controllers/KioskController.cs
index bbbcb9b..f899f77 100644
--- a/src/PowderCoating.Web/Controllers/KioskController.cs
+++ b/src/PowderCoating.Web/Controllers/KioskController.cs
@@ -26,6 +26,7 @@ namespace PowderCoating.Web.Controllers;
 /// When creating new Customer or Job records from the kiosk, CompanyId is set explicitly
 /// from session.CompanyId so the EF SaveChanges interceptor doesn't override it with 0.
 /// </summary>
+[Authorize]
 public class KioskController : Controller
 {
     private const string CookieName         = "KioskDevice";
diff --git a/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs b/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs
index adca6a5..6ebeaae 100644
--- a/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs
+++ b/src/PowderCoating.Web/Controllers/ReleaseNotesController.cs
@@ -16,6 +16,7 @@ namespace PowderCoating.Web.Controllers;
 /// SuperAdmins because only platform staff should author release content.
 /// </para>
 /// </summary>
+[Authorize]
 public class ReleaseNotesController : Controller
 {
     private readonly IUnitOfWork _unitOfWork;
@@ -34,7 +35,6 @@ public class ReleaseNotesController : Controller
     /// newest-first.  Drafts are invisible to ordinary users so SuperAdmins can
     /// prepare notes in advance without surfacing them prematurely.
     /// </summary>
-    [Authorize]
     public async Task<IActionResult> Index()
     {
         var notes = (await _unitOfWork.ReleaseNotes.FindAsync(r => r.IsPublished))