diff --git a/Makefile b/Makefile
index 4621a118..561d43b4 100644
--- a/Makefile
+++ b/Makefile
@@ -59,6 +59,7 @@ validate-proxy:
 	sed -i 's/{{env "PUBLIC_ROUTE"}}/test.com/g' proxy/nginx-cloudfront.conf proxy/nginx-authy.conf
 	sed -i 's#{{env "S3_URL"}}#http://test.com#g' proxy/nginx-common.conf
 	sed -i 's#{{env "S3_BUCKET"}}#somebucket#g' proxy/nginx-common.conf
+	sed -i 's#{{env "DENY_PACKAGE_CREATE"}}#truetodeny#g' proxy/nginx-common.conf
 	docker run --rm -e nameservers=127.0.0.1 -v $(shell pwd)/proxy:/proxy nginx nginx -t -c /proxy/nginx.conf
 	sed -i 's/127.0.0.1/{{nameservers}}/g' proxy/nginx.conf
 	sed -i 's/127.0.0.2/{{env "EXTERNAL_ROUTE"}}/g' proxy/nginx.conf proxy/nginx-cloudfront.conf
@@ -67,10 +68,10 @@ validate-proxy:
 	sed -i 's/127.0.0.5/{{env "INTERNAL_ROUTE_ADMIN"}}/g' proxy/nginx.conf
 	sed -i 's/127.0.0.6/{{env "PUBLIC_ROUTE"}}/g' proxy/nginx.conf proxy/nginx-cloudfront.conf
 	sed -i 's/1111/{{port}}/g' proxy/nginx.conf proxy/nginx-common.conf
-	sed -i 's/test.com/{{env "PUBLIC_ROUTE"}}/g' proxy/nginx-cloudfront.conf
+	sed -i 's/test.com/{{env "PUBLIC_ROUTE"}}/g' proxy/nginx-cloudfront.conf proxy/nginx-authy.conf
 	sed -i 's#http://test.com#{{env "S3_URL"}}#g' proxy/nginx-common.conf
 	sed -i 's#somebucket#{{env "S3_BUCKET"}}#g' proxy/nginx-common.conf
-	sed -i 's/test.com/{{env "PUBLIC_ROUTE"}}/g' proxy/nginx-authy.conf
+	sed -i 's/truetodeny/{{env "DENY_PACKAGE_CREATE"}}/g' proxy/nginx-common.conf
 
 quick-bat-test:
 	# if local environment is already build and running
diff --git a/manifest.yml b/manifest.yml
index 644dc204..a5d229e6 100644
--- a/manifest.yml
+++ b/manifest.yml
@@ -79,6 +79,7 @@ applications:
       INTERNAL_ROUTE: ((route-internal))
       EXTERNAL_ROUTE_ADMIN: ((route-external-admin))
       INTERNAL_ROUTE_ADMIN: ((route-internal-admin))
+      DENY_PACKAGE_CREATE: ((deny_package_create))
 
   - name: ((app_name))-gather
     buildpacks:
diff --git a/proxy/nginx-common.conf b/proxy/nginx-common.conf
index c6d68d78..c236a5be 100644
--- a/proxy/nginx-common.conf
+++ b/proxy/nginx-common.conf
@@ -83,7 +83,11 @@ location = /500.html {
 
 # prevent users from accessing: '/dataset/new' route, 'package_create' and 'resource_create' API routes
 location ~ ^/(dataset\/new|api\/action\/package_create|api\/action\/resource_create)/?$ {
-  deny all;
+  set $deny {{env "DENY_PACKAGE_CREATE"}};
+  if ($deny = 'true') {
+    return 403;
+  }
+  try_files $uri @proxy_to_app;
 }
 
 # use local path for map tiles so that they
diff --git a/vars.development.yml b/vars.development.yml
index d78d5d61..63abf75c 100644
--- a/vars.development.yml
+++ b/vars.development.yml
@@ -27,3 +27,5 @@ saml2_certificate: |
   -----END CERTIFICATE-----
 
 googleanalytics_id: UA-00000000-1
+
+deny_package_create: false
diff --git a/vars.prod.yml b/vars.prod.yml
index 8ab5036a..74fe26b0 100644
--- a/vars.prod.yml
+++ b/vars.prod.yml
@@ -27,3 +27,5 @@ saml2_certificate: |
   -----END CERTIFICATE-----
 
 googleanalytics_id: G-WP7FK9QXZD
+
+deny_package_create: true
diff --git a/vars.staging.yml b/vars.staging.yml
index 7bab1a54..d95d9dbc 100644
--- a/vars.staging.yml
+++ b/vars.staging.yml
@@ -27,3 +27,5 @@ saml2_certificate: |
   -----END CERTIFICATE-----
 
 googleanalytics_id: UA-00000000-2
+
+deny_package_create: false