diff --git a/changelog.md b/changelog.md
index 445560fdb4..8aa29358d7 100644
--- a/changelog.md
+++ b/changelog.md
@@ -23,6 +23,7 @@ The `zetacored` binary must be upgraded to trigger chain parameters data migrati
 
 ### Fixes
 
+* [4562](https://github.com/zeta-chain/node/pull/4562) - add AllowInsecureUnlock guard to eth_sign and eth_signTypedData
 * [4403](https://github.com/zeta-chain/node/pull/4403) - load Sui inbound cursors from database for all supported packages
 * [4401](https://github.com/zeta-chain/node/pull/4401) - retry Sui inbound when the inbound vote RPC failed
 * [4414](https://github.com/zeta-chain/node/pull/4414) - fix example package deployment by removing gateway object reference
diff --git a/rpc/backend/sign_tx.go b/rpc/backend/sign_tx.go
index cec9fbf1b5..ea9d5effd1 100644
--- a/rpc/backend/sign_tx.go
+++ b/rpc/backend/sign_tx.go
@@ -122,6 +122,11 @@ func (b *Backend) SendTransaction(args evmtypes.TransactionArgs) (common.Hash, e
 
 // Sign signs the provided data using the private key of address via Geth's signature standard.
 func (b *Backend) Sign(address common.Address, data hexutil.Bytes) (hexutil.Bytes, error) {
+	if !b.Cfg.JSONRPC.AllowInsecureUnlock {
+		b.Logger.Debug("account unlock with HTTP access is forbidden")
+		return nil, errors.New("account unlock with HTTP access is forbidden")
+	}
+
 	from := sdk.AccAddress(address.Bytes())
 
 	_, err := b.ClientCtx.Keyring.KeyByAddress(from)
@@ -143,6 +148,11 @@ func (b *Backend) Sign(address common.Address, data hexutil.Bytes) (hexutil.Byte
 
 // SignTypedData signs EIP-712 conformant typed data
 func (b *Backend) SignTypedData(address common.Address, typedData apitypes.TypedData) (hexutil.Bytes, error) {
+	if !b.Cfg.JSONRPC.AllowInsecureUnlock {
+		b.Logger.Debug("account unlock with HTTP access is forbidden")
+		return nil, errors.New("account unlock with HTTP access is forbidden")
+	}
+
 	from := sdk.AccAddress(address.Bytes())
 
 	_, err := b.ClientCtx.Keyring.KeyByAddress(from)
diff --git a/rpc/backend/sign_tx_test.go b/rpc/backend/sign_tx_test.go
index c90df697ce..f94cd18c49 100644
--- a/rpc/backend/sign_tx_test.go
+++ b/rpc/backend/sign_tx_test.go
@@ -153,6 +153,15 @@ func (s *TestSuite) TestSign() {
 		inputBz      hexutil.Bytes
 		expPass      bool
 	}{
+		{
+			"fail - insecure unlock not allowed",
+			func() {
+				s.backend.Cfg.JSONRPC.AllowInsecureUnlock = false
+			},
+			from,
+			nil,
+			false,
+		},
 		{
 			"fail - can't find key in Keyring",
 			func() {},
@@ -204,6 +213,15 @@ func (s *TestSuite) TestSignTypedData() {
 		inputTypedData apitypes.TypedData
 		expPass        bool
 	}{
+		{
+			"fail - insecure unlock not allowed",
+			func() {
+				s.backend.Cfg.JSONRPC.AllowInsecureUnlock = false
+			},
+			from,
+			apitypes.TypedData{},
+			false,
+		},
 		{
 			"fail - can't find key in Keyring",
 			func() {},