diff --git a/serve/consent.go b/serve/consent.go
new file mode 100644
index 0000000..8d15f65
--- /dev/null
+++ b/serve/consent.go
@@ -0,0 +1,42 @@
+package serve
+
+import (
+	"net/http"
+	"time"
+)
+
+const cookieName = "__Host-consent-v1"
+
+// SetConsent registers a consent cookie on the response.
+func SetConsent(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    "given",
+		Expires:  time.Now().Add(20 * 365 * 24 * time.Hour),
+		Path:     "/",
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+// NeedsConsent is a middleware that immediately responds with a 403 if the
+// request does not bear a consent cookie.
+func NeedsConsent(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if _, err := r.Cookie(cookieName); err != nil {
+			http.Error(w, cookieFailed, http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+const cookieFailed = `<!DOCTYPE html>
+<html>
+	<body>
+		<h1>Consent required</h1>
+		<p>The requested resource requires consent to processing identifying information and storying necessary cookies.</p>
+		<p>I'm just a lil guy. The information is used solely for providing the service's functionality.</p>
+	</body>
+</html>`