diff --git a/app.json b/app.json
index 99825cd..6889e5b 100644
--- a/app.json
+++ b/app.json
@@ -85,7 +85,6 @@
         "value": "",
         "required": false
     },
-
     "WHOOGLE_CONFIG_DARK": {
         "description": "[CONFIG] Enable dark mode (set to 1 or leave blank)",
         "value": "",
diff --git a/app/routes.py b/app/routes.py
index 46a8497..053cb72 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -241,7 +241,7 @@ def config():
     config_disabled = app.config['CONFIG_DISABLE']
     if request.method == 'GET':
         return json.dumps(g.user_config.__dict__)
-    elif request.method == 'PUT' and not config_disabled: 
+    elif request.method == 'PUT' and not config_disabled:
         if 'name' in request.args:
             config_pkl = os.path.join(
                 app.config['CONFIG_PATH'],
@@ -273,7 +273,7 @@ def config():
         session['config'] = config_data
         return redirect(config_data['url'])
     else:
-        return json.dumps({})
+        return redirect(url_for('.index'), code=403)
 
 
 @app.route('/url', methods=['GET'])
diff --git a/test/test_routes.py b/test/test_routes.py
index fda189d..12cdda3 100644
--- a/test/test_routes.py
+++ b/test/test_routes.py
@@ -1,3 +1,5 @@
+from app import app
+
 import json
 
 from test.conftest import demo_config
@@ -52,6 +54,17 @@ def test_config(client):
     assert rv._status_code == 200
     assert custom_config.replace('&', '&') in str(rv.data)
 
+    # Test disabling changing config from client
+    app.config['CONFIG_DISABLE'] = 1
+    dark_mod = not demo_config['dark']
+    demo_config['dark'] = dark_mod
+    rv = client.post('/config', data=demo_config)
+    assert rv._status_code == 403
+
+    rv = client.get('/config')
+    config = json.loads(rv.data)
+    assert config['dark'] != dark_mod
+
 
 def test_opensearch(client):
     rv = client.get('/opensearch.xml')