diff --git a/eden/mononoke/server/repo_listener/src/http_service.rs b/eden/mononoke/server/repo_listener/src/http_service.rs
index 87ab5f3af9..99ba91d09d 100644
--- a/eden/mononoke/server/repo_listener/src/http_service.rs
+++ b/eden/mononoke/server/repo_listener/src/http_service.rs
@@ -39,12 +39,15 @@ pub enum HttpError {
     #[error("Bad request")]
     BadRequest(#[source] Error),
 
-    #[error("Method not acceptable")]
-    NotAcceptable,
+    #[error("Forbidden")]
+    Forbidden,
 
     #[error("Not found")]
     NotFound,
 
+    #[error("Method not allowed")]
+    MethodNotAllowed,
+
     #[error("Internal server error")]
     InternalServerError(#[source] Error),
 }
@@ -57,15 +60,17 @@ impl HttpError {
     pub fn http_response(&self) -> http::Result<Response<Body>> {
         let status = match self {
             Self::BadRequest(..) => http::StatusCode::BAD_REQUEST,
-            Self::NotAcceptable => http::StatusCode::NOT_ACCEPTABLE,
+            Self::Forbidden => http::StatusCode::FORBIDDEN,
             Self::NotFound => http::StatusCode::NOT_FOUND,
+            Self::MethodNotAllowed => http::StatusCode::METHOD_NOT_ALLOWED,
             Self::InternalServerError(..) => http::StatusCode::INTERNAL_SERVER_ERROR,
         };
 
         let body = match self {
             Self::BadRequest(ref e) => Body::from(format!("{:#}", e)),
-            Self::NotAcceptable => Body::empty(),
+            Self::Forbidden => Body::empty(),
             Self::NotFound => Body::empty(),
+            Self::MethodNotAllowed => Body::empty(),
             Self::InternalServerError(ref e) => Body::from(format!("{:#}", e)),
         };
 
@@ -229,7 +234,11 @@ where
         path: &str,
     ) -> Result<Response<Body>, HttpError> {
         if method != Method::POST {
-            return Err(HttpError::NotAcceptable);
+            return Err(HttpError::MethodNotAllowed);
+        }
+
+        if !self.acceptor().enable_http_control_api {
+            return Err(HttpError::Forbidden);
         }
 
         let ok = Response::builder()
diff --git a/eden/mononoke/server/repo_listener/src/netspeedtest.rs b/eden/mononoke/server/repo_listener/src/netspeedtest.rs
index ecfe851285..affc6227e6 100644
--- a/eden/mononoke/server/repo_listener/src/netspeedtest.rs
+++ b/eden/mononoke/server/repo_listener/src/netspeedtest.rs
@@ -63,7 +63,7 @@ pub async fn handle(
         return upload(body).await;
     }
 
-    Err(HttpError::NotAcceptable)
+    Err(HttpError::MethodNotAllowed)
 }
 
 fn download(headers: &HeaderMap<HeaderValue>) -> Result<Response<Body>, HttpError> {
diff --git a/eden/mononoke/tests/integration/library.sh b/eden/mononoke/tests/integration/library.sh
index cbd87dabeb..2629006349 100644
--- a/eden/mononoke/tests/integration/library.sh
+++ b/eden/mononoke/tests/integration/library.sh
@@ -590,9 +590,14 @@ EOF
 scuba_local_path_censored="$SCUBA_CENSORED_LOGGING_PATH"
 CONFIG
   fi
+
+  if [[ -z "$DISABLE_HTTP_CONTROL_API" ]]; then
   cat >> common/common.toml <<CONFIG
 enable_http_control_api=true
+CONFIG
+  fi
 
+  cat >> common/common.toml <<CONFIG
 [[whitelist_entry]]
 identity_type = "$ALLOWED_IDENTITY_TYPE"
 identity_data = "${OVERRIDE_ALLOWED_IDDATA:-$ALLOWED_IDENTITY_DATA}"
diff --git a/eden/mononoke/tests/integration/test-mononoke-http-control-api.t b/eden/mononoke/tests/integration/test-mononoke-http-control-api.t
new file mode 100644
index 0000000000..0e64d429b4
--- /dev/null
+++ b/eden/mononoke/tests/integration/test-mononoke-http-control-api.t
@@ -0,0 +1,14 @@
+# Copyright (c) Facebook, Inc. and its affiliates.
+#
+# This software may be used and distributed according to the terms of the
+# GNU General Public License found in the LICENSE file in the root
+# directory of this source tree.
+
+  $ . "${TEST_FIXTURES}/library.sh"
+  $ DISABLE_HTTP_CONTROL_API=1 setup_common_config
+  $ mononoke
+  $ wait_for_mononoke
+
+  $ sslcurl -X POST -fsS "https://localhost:$MONONOKE_SOCKET/control/drop_bookmarks_cache"
+  curl: (22) The requested URL returned error: 403 Forbidden
+  [22]