diff --git a/global_config.js b/global_config.js
index 56eafc3c..cba5c790 100644
--- a/global_config.js
+++ b/global_config.js
@@ -8,6 +8,10 @@ var router = new PromiseRouter();
 
 // Returns a promise for a {response} object.
 function handleUpdateGlobalConfig(req) {
+  if (!req.auth.isMaster) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Config updates requires valid masterKey.');
+  }
+
   return rest.update(req.config, req.auth,
                      '_GlobalConfig', 1, req.body)
   .then((response) => {