src/Controller/RequestHandler.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Controller/RequestHandler.php b/src/Controller/RequestHandler.php
index ed015a5..636f208 100644
--- a/src/Controller/RequestHandler.php
+++ b/src/Controller/RequestHandler.php
@@ -9,6 +9,7 @@ use Drupal\jsonapi\LinkManager\LinkManager;
 use Drupal\jsonapi\ResourceType\ResourceType;
 use Drupal\jsonapi\ResourceType\ResourceTypeRepositoryInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
 use Symfony\Component\Serializer\Exception\InvalidArgumentException;
@@ -101,6 +102,12 @@ class RequestHandler {
    *   The response object.
    */
   public function handle(Request $request, ResourceType $resource_type) {
+    if (!$request->isMethodCacheable() && !$resource_type->isValidatable()) {
+      // @see http://jsonapi.org/format/#crud-creating-responses-403
+      // @see http://jsonapi.org/format/#crud-updating-relationship-responses-403
+      throw new AccessDeniedHttpException(sprintf('Modifying "%s" resources is not supported.', $resource_type->getTypeName()));
+    }
+
     $unserialized = $this->deserialize($request, $resource_type);
 
     // Determine the request parameters that should be passed to the resource