Much easier to simply block posts/puts to certain paths from ip ranges in the ingress layer, before they ever reach the application and are authenticated.