diff --git a/bento_beacon/app.py b/bento_beacon/app.py
index 89b0e2c..3abb891 100644
--- a/bento_beacon/app.py
+++ b/bento_beacon/app.py
@@ -17,7 +17,7 @@
 from .utils.beacon_request import save_request_data, validate_request, verify_permissions
 from .utils.beacon_response import init_response_data
 from .utils.katsu_utils import katsu_censorship_settings
-from .utils.censorship import set_censorship_settings
+from .utils.censorship import set_censorship_settings, reject_query_if_not_permitted
 
 REQUEST_SPEC_RELATIVE_PATH = "beacon-v2/framework/json/requests/"
 BEACON_MODELS = ["analyses", "biosamples", "cohorts", "datasets", "individuals", "runs", "variants"]
@@ -96,6 +96,7 @@ def before_request():
         validate_request()
         verify_permissions()
         save_request_data()
+        reject_query_if_not_permitted()
         init_response_data()
 
 
diff --git a/bento_beacon/config_files/config.py b/bento_beacon/config_files/config.py
index 2e863ae..93f4b0a 100644
--- a/bento_beacon/config_files/config.py
+++ b/bento_beacon/config_files/config.py
@@ -169,6 +169,9 @@ class Config:
     PHENOPACKETS_SCHEMA_REFERENCE = {"entityType": "individual", "schema": "phenopackets v1"}
 
     MAX_RETRIES_FOR_CENSORSHIP_PARAMS = 2
+
+    # don't let anonymous users query arbitrary phenopacket or experiment fields
+    ANONYMOUS_METADATA_QUERY_USES_DISCOVERY_CONFIG_ONLY = True
     # -------------------
     # gohan
 
diff --git a/bento_beacon/utils/censorship.py b/bento_beacon/utils/censorship.py
index 323a3ca..5fc564d 100644
--- a/bento_beacon/utils/censorship.py
+++ b/bento_beacon/utils/censorship.py
@@ -70,3 +70,19 @@ def reject_if_too_many_filters(filters):
 def censored_chart_data(data):
     t = get_censorship_threshold()  # zero with correct permissions
     return [{"label": d["label"], "value": d["value"]} for d in data if d["value"] > t]
+
+
+def query_has_phenopacket_filter():
+    return bool(g.beacon_query_parameters["phenopacket_filters"])
+
+
+def query_has_experiment_filter():
+    return bool(g.beacon_query_parameters["experiment_filters"])
+
+
+# some anonymous queries are not permitted
+def reject_query_if_not_permitted():
+    if g.permission_query_data or not current_app.config["ANONYMOUS_METADATA_QUERY_USES_DISCOVERY_CONFIG_ONLY"]:
+        return
+    if query_has_phenopacket_filter() or query_has_experiment_filter():
+        raise InvalidQuery("anonymous queries should use filters from discovery config only")