diff --git a/src/routes/config.js b/src/routes/config.js
index 844ec78a..ed9c92d0 100644
--- a/src/routes/config.js
+++ b/src/routes/config.js
@@ -23,11 +23,8 @@ export async function postConfig({ req, env, daCtx }) {
 }
 
 export async function getConfig({ env, daCtx }) {
-  // // TODO maybe we should turn the order around?
-  // if (!hasPermission(daCtx, 'CONFIG', 'read', true)) {
-  //   const key = daCtx.key.startsWith('/') ? daCtx.key : `/${daCtx.key}`
-  //   if (!hasPermission(daCtx, key, 'read', true)) { // TODO
-  //     return { status: 403 };
-  // }
+  if (!hasPermission(daCtx, 'CONFIG', 'read', true)) {
+    return { status: 403 };
+  }
   return getKv(env, daCtx);
 }
diff --git a/test/routes/config.test.js b/test/routes/config.test.js
index 414e7347..c8534991 100644
--- a/test/routes/config.test.js
+++ b/test/routes/config.test.js
@@ -110,7 +110,8 @@ describe('Config', () => {
     );
 
     const res = await getConfig({ env, daCtx: ctx });
-    assert.strictEqual(getKVCalled.length, 1, "Should always have get permission on config");
+    assert.strictEqual(getKVCalled.length, 0, "Should not have read permission on config");
+    assert.strictEqual(res.status, 403);
 
     const res2 = await postConfig({ req, env, daCtx: ctx });
     assert.strictEqual(res2.status, 403);