diff --git a/src/client_server/message.rs b/src/client_server/message.rs
index 93ead2c7..25964cc2 100644
--- a/src/client_server/message.rs
+++ b/src/client_server/message.rs
@@ -45,6 +45,14 @@ pub async fn send_message_event_route(
     );
     let state_lock = mutex_state.lock().await;
 
+    // Forbid m.room.encrypted if encryption is disabled
+    if &body.event_type == "m.room.encrypted" && !db.globals.allow_encryption() {
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "Encryption has been disabled",
+        ));
+    }
+
     // Check if this is a new transaction id
     if let Some(response) =
         db.transaction_ids
diff --git a/src/client_server/state.rs b/src/client_server/state.rs
index 24cc2a18..7618dcc4 100644
--- a/src/client_server/state.rs
+++ b/src/client_server/state.rs
@@ -73,6 +73,14 @@ pub async fn send_state_event_for_empty_key_route(
 ) -> ConduitResult<send_state_event::Response> {
     let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
+    // Forbid m.room.encryption if encryption is disabled
+    if &body.event_type == "m.room.encryption" && !db.globals.allow_encryption() {
+        return Err(Error::BadRequest(
+            ErrorKind::Forbidden,
+            "Encryption has been disabled",
+        ));
+    }
+
     let event_id = send_state_event_for_key_helper(
         &db,
         sender_user,