diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index a9469e5b3894ac78195a02c2aca792d4e0d6985a..71ffd7f369297f496b69ae5c6c15931a9d063280 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -292,6 +292,8 @@ pub struct Config {
 	#[serde(default = "true_fn")]
 	pub allow_legacy_media: bool,
 	#[serde(default = "true_fn")]
+	pub freeze_legacy_media: bool,
+	#[serde(default = "true_fn")]
 	pub media_startup_check: bool,
 	#[serde(default)]
 	pub media_compat_file_link: bool,
@@ -748,6 +750,7 @@ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
 		line("Media compatibility filesystem links", &self.media_compat_file_link.to_string());
 		line("Prune missing media from database", &self.prune_missing_media.to_string());
 		line("Allow legacy (unauthenticated) media", &self.allow_legacy_media.to_string());
+		line("Freeze legacy (unauthenticated) media", &self.freeze_legacy_media.to_string());
 		line("Prevent Media Downloads From", {
 			let mut lst = vec![];
 			for domain in &self.prevent_media_downloads_from {
diff --git a/src/service/media/remote.rs b/src/service/media/remote.rs
index 9f622fe070a2abf268aecb4f25faf67d57ffca55..59846b8ee1f6d7a123d2c0f6e86fb09ffd47689e 100644
--- a/src/service/media/remote.rs
+++ b/src/service/media/remote.rs
@@ -310,6 +310,7 @@ pub async fn fetch_remote_thumbnail_legacy(
 		media_id: &body.media_id,
 	};
 
+	self.check_legacy_freeze()?;
 	self.check_fetch_authorized(&mxc)?;
 	let reponse = self
 		.services
@@ -342,6 +343,7 @@ pub async fn fetch_remote_thumbnail_legacy(
 pub async fn fetch_remote_content_legacy(
 	&self, mxc: &Mxc<'_>, allow_redirect: bool, timeout_ms: Duration,
 ) -> Result<media::get_content::v3::Response, Error> {
+	self.check_legacy_freeze()?;
 	self.check_fetch_authorized(mxc)?;
 	let response = self
 		.services
@@ -391,3 +393,13 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> {
 
 	Ok(())
 }
+
+#[implement(super::Service)]
+fn check_legacy_freeze(&self) -> Result<()> {
+	self.services
+		.server
+		.config
+		.freeze_legacy_media
+		.then_some(())
+		.ok_or(err!(Request(NotFound("Remote media is frozen."))))
+}