diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 5b90551..e992cd4 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -26,6 +26,7 @@ security:
         - { path: ^/login, roles: PUBLIC_ACCESS }
         - { path: ^/register, roles: PUBLIC_ACCESS }
         - { path: ^/$, roles: PUBLIC_ACCESS }
+        - { path: ^/game, roles: PUBLIC_ACCESS }
         - { path: ^/, roles: ROLE_USER }
 
 when@test:
diff --git a/src/Controller/GameController.php b/src/Controller/GameController.php
new file mode 100644
index 0000000..037063c
--- /dev/null
+++ b/src/Controller/GameController.php
@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Controller;
+
+use App\Entity\Game;
+use App\Entity\User;
+use App\Repository\GameRepository;
+use App\Service\GameGridGenerator;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+
+class GameController extends AbstractController
+{
+    #[Route('/game/start', name: 'app_game_start', methods: ['POST'])]
+    public function start(
+        Request $request,
+        GameGridGenerator $generator,
+        GameRepository $gameRepository,
+    ): Response {
+        $this->validateCsrfToken('game_start', $request);
+
+        /** @var User|null $user */
+        $user = $this->getUser();
+
+        // Check no game already in progress
+        if ($user) {
+            $existing = $gameRepository->findActiveForUser($user);
+        } else {
+            $gameId = $request->getSession()->get('current_game_id');
+            $existing = $gameId ? $gameRepository->find($gameId) : null;
+            if ($existing && $existing->getStatus() !== Game::STATUS_IN_PROGRESS) {
+                $existing = null;
+            }
+        }
+
+        if ($existing) {
+            return $this->redirectToRoute('app_homepage');
+        }
+
+        $game = $generator->generate($user);
+
+        if (!$user) {
+            $request->getSession()->set('current_game_id', $game->getId());
+        }
+
+        return $this->redirectToRoute('app_homepage');
+    }
+
+    #[Route('/game/{id}/abandon', name: 'app_game_abandon', methods: ['POST'])]
+    public function abandon(
+        Game $game,
+        Request $request,
+        EntityManagerInterface $em,
+    ): Response {
+        $this->validateCsrfToken('game_abandon', $request);
+
+        /** @var User|null $user */
+        $user = $this->getUser();
+
+        // Verify ownership
+        if ($user) {
+            if ($game->getUser() !== $user) {
+                throw $this->createAccessDeniedException();
+            }
+        } else {
+            $sessionGameId = $request->getSession()->get('current_game_id');
+            if ($game->getId() !== $sessionGameId) {
+                throw $this->createAccessDeniedException();
+            }
+        }
+
+        $game->abandon();
+        $em->flush();
+
+        if (!$user) {
+            $request->getSession()->remove('current_game_id');
+        }
+
+        return $this->redirectToRoute('app_homepage');
+    }
+
+    private function validateCsrfToken(string $tokenId, Request $request): void
+    {
+        $token = $request->request->get('_token');
+        if (!$this->isCsrfTokenValid($tokenId, $token)) {
+            throw $this->createAccessDeniedException('Invalid CSRF token.');
+        }
+    }
+}