diff --git a/src/WebAPIService.cpp b/src/WebAPIService.cpp
index 5be154979..f25c7a19f 100644
--- a/src/WebAPIService.cpp
+++ b/src/WebAPIService.cpp
@@ -28,10 +28,6 @@ WebAPIService::WebAPIService(AsyncWebServer * server) {
 
 // e.g. http://ems-esp/api?device=boiler&cmd=wwtemp&data=20&id=1
 void WebAPIService::webAPIService(AsyncWebServerRequest * request) {
-    // see if the API is enabled
-    bool api_enabled;
-    EMSESP::webSettingsService.read([&](WebSettings & settings) { api_enabled = settings.api_enabled; });
-
     // must have device and cmd parameters
     if ((!request->hasParam(F_(device))) || (!request->hasParam(F_(cmd)))) {
         request->send(400, "text/plain", F("Invalid syntax"));
@@ -77,8 +73,10 @@ void WebAPIService::webAPIService(AsyncWebServerRequest * request) {
     if (data.isEmpty()) {
         ok = Command::call(device_type, cmd.c_str(), nullptr, id.toInt(), json); // command only
     } else {
+        // we only allow commands with parameters if the API is enabled
+        bool api_enabled;
+        EMSESP::webSettingsService.read([&](WebSettings & settings) { api_enabled = settings.api_enabled; });
         if (api_enabled) {
-            // we only allow commands with parameters if the API is enabled
             ok = Command::call(device_type, cmd.c_str(), data.c_str(), id.toInt(), json); // has cmd, data and id
         } else {
             request->send(401, "text/plain", F("Unauthorized"));
diff --git a/src/WebDevicesService.cpp b/src/WebDevicesService.cpp
index 0f389c656..5db6fcd50 100644
--- a/src/WebDevicesService.cpp
+++ b/src/WebDevicesService.cpp
@@ -100,7 +100,16 @@ void WebDevicesService::device_data(AsyncWebServerRequest * request, JsonVariant
     request->send(response);
 }
 
+// takes a command and its data value from a specific Device, from the Web
 void WebDevicesService::write_value(AsyncWebServerRequest * request, JsonVariant & json) {
+    // only issue commands if the API is enabled
+    EMSESP::webSettingsService.read([&](WebSettings & settings) {
+        if (!settings.api_enabled) {
+            request->send(403); // forbidden error
+            return;
+        }
+    });
+
     if (json.is<JsonObject>()) {
         JsonObject dv = json["devicevalue"];
 
@@ -125,16 +134,14 @@ void WebDevicesService::write_value(AsyncWebServerRequest * request, JsonVariant
                     }
 
                     if (ok) {
-                        AsyncWebServerResponse * response = request->beginResponse(200); // OK
-                        request->send(response);
+                        request->send(200);
                     }
                     return; // found device, quit
                 }
             }
         }
 
-        AsyncWebServerResponse * response = request->beginResponse(204); // no content error
-        request->send(response);
+        request->send(204); // no content error
     }
 }