diff --git a/index.js b/index.js
index a0f0a31..fe2da39 100644
--- a/index.js
+++ b/index.js
@@ -5,6 +5,10 @@ const { execSync } = require("node:child_process");
 const PORT = parseInt(process.env.PORT || "3001", 10);
 const TOKEN = process.env.HEALTH_TOKEN;
 
+if (!TOKEN) {
+  console.warn("WARNING: HEALTH_TOKEN is not set. All requests will be rejected (fail-closed).");
+}
+
 function readProcStat() {
   try {
     const line = execSync("head -1 /proc/stat", { encoding: "utf-8" }).trim();
@@ -84,13 +88,17 @@ const server = http.createServer((req, res) => {
     return;
   }
 
-  if (TOKEN) {
-    const auth = req.headers["authorization"];
-    if (auth !== `Bearer ${TOKEN}`) {
-      res.writeHead(401);
-      res.end(JSON.stringify({ error: "Unauthorized" }));
-      return;
-    }
+  if (!TOKEN) {
+    res.writeHead(401);
+    res.end(JSON.stringify({ error: "HEALTH_TOKEN not configured" }));
+    return;
+  }
+
+  const auth = req.headers["authorization"];
+  if (auth !== `Bearer ${TOKEN}`) {
+    res.writeHead(401);
+    res.end(JSON.stringify({ error: "Unauthorized" }));
+    return;
   }
 
   const data = getHealth();