diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml
index 1ff6767141..52230a12bc 100644
--- a/.github/workflows/deploy-web.yml
+++ b/.github/workflows/deploy-web.yml
@@ -112,13 +112,48 @@ jobs:
               echo "azure-login-creds=AZURE_KV_US_DEV_SERVICE_PRINCIPAL" >> $GITHUB_OUTPUT
               echo "retrieve-secrets-keyvault=webvault-eastus-dev" >> $GITHUB_OUTPUT
               echo "environment-artifact=web-*-cloud-usdev.zip" >> $GITHUB_OUTPUT
-              echo "environment-name=Web Vault - US Development Cloud" >> $GITHUB_OUTPUT
+              echo "environment-name=Web Vault - US DEV Cloud" >> $GITHUB_OUTPUT
               echo "environment-url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT
               ;;
           esac
           # Set the sync utility to use for deployment to the environment (az-sync or azcopy)
           echo "sync-utility=azcopy" >> $GITHUB_OUTPUT
 
+      - name: Environment Protection
+        env:
+          TAG: ${{ steps.project_tag.outputs.tag }}
+        run: |
+          BRANCH_OR_TAG_LOWER=$(echo ${{ inputs.branch-or-tag }} | awk '{print tolower($0)}')
+
+          PROD_ENV_PATTERN='USPROD|EUPROD'
+          PROD_ALLOWED_TAGS_PATTERN='web-v[0-9]+\.[0-9]+\.[0-9]+'
+
+          QA_ENV_PATTERN='USQA|EUQA'
+          QA_ALLOWED_TAGS_PATTERN='.*'
+
+          DEV_ENV_PATTERN='USDEV'
+          DEV_ALLOWED_TAGS_PATTERN='.*'
+
+          if [[ \
+              ${{ inputs.environment }} =~ \.*($PROD_ENV_PATTERN)\.* && \
+              ! "$BRANCH_OR_TAG_LOWER" =~ ^($PROD_ALLOWED_TAGS_PATTERN).* \
+          ]] || [[ \
+              ${{ inputs.environment }} =~ \.*($QA_ENV_PATTERN)\.* && \
+              ! "$BRANCH_OR_TAG_LOWER" =~ ^($QA_ALLOWED_TAGS_PATTERN).* \
+          ]] || [[ \
+               =~ \.*($DEV_ENV_PATTERN)\.* && \
+              ! "$BRANCH_OR_TAG_LOWER" =~ ^($DEV_ALLOWED_TAGS_PATTERN).* \
+          ]]; then
+              echo "!Deployment blocked!"
+              echo "Attempting to deploy a tag that is not allowed in ${{ inputs.environment }} environment"
+              echo
+              echo "Environment: ${{ inputs.environment }}
+              echo "Tag: ${{ inputs.branch-or-tag }}
+              exit 1
+          else
+              echo "${{ inputs.branch-or-tag }} is allowed to deployed on to ${{ inputs.environment }} environment"
+          fi
+
   approval:
     name: Approval for Deployment to ${{ needs.setup.outputs.environment-name }}
     needs: setup
@@ -206,6 +241,31 @@ jobs:
             echo "commit=${{ steps.download-latest-artifacts.outputs.artifact-build-commit }}" >> $GITHUB_OUTPUT
           fi
 
+      - name: Ensure artifact is from main branch for USDEV environment
+        if: ${{ 'inputs.environment' == 'USDEV'}}
+        run: |
+          # If run-id was used
+          if [ "${{ inputs.build-web-run-id }}" ]; then
+            if [ "${{ steps.download-latest-artifacts.outputs.artifact-build-branch }}" != "main" ]; then
+              echo "Artifact is not from main branch"
+              exit 1
+            fi
+
+          # If artifact download failed
+          elif [ "${{ steps.download-latest-artifacts.outcome }}" == "failure" ]; then
+            branch=$(gh api /repos/bitwarden/clients/actions/runs/${{ steps.trigger-build-web.outputs.workflow_id }}/artifacts --jq '.artifacts[0].workflow_run.head_branch')
+              if [ "$branch" != "main" ]; then
+                echo "Artifact is not from main branch"
+                exit 1
+              fi
+
+          else
+            if [ "${{ steps.download-latest-artifacts.outputs.artifact-build-branch }}" != "main" ]; then
+              echo "Artifact is not from main branch"
+              exit 1
+            fi
+          fi
+
   notify-start:
     name: Notify Slack with start message
     needs: