diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 50c96306d..b250871e5 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -252,6 +252,9 @@ void WebApplication::doProcessRequest()
     const QString action = match.captured(u"action"_qs);
     const QString scope = match.captured(u"scope"_qs);
 
+    if (!session() && !isPublicAPI(scope, action))
+        throw ForbiddenHTTPError();
+
     APIController *controller = nullptr;
     if (session())
         controller = session()->getAPIController(scope);
@@ -263,9 +266,6 @@ void WebApplication::doProcessRequest()
             throw NotFoundHTTPError();
     }
 
-    if (!session() && !isPublicAPI(scope, action))
-        throw ForbiddenHTTPError();
-
     DataMap data;
     for (const Http::UploadedFile &torrent : request().files)
         data[torrent.filename] = torrent.data;