diff --git a/bookwyrm/connectors/abstract_connector.py b/bookwyrm/connectors/abstract_connector.py
index aa8edbeae..306bac3b3 100644
--- a/bookwyrm/connectors/abstract_connector.py
+++ b/bookwyrm/connectors/abstract_connector.py
@@ -191,7 +191,7 @@ class AbstractConnector(AbstractMinimalConnector):
 
     def get_book_data(self, remote_id: str) -> JsonDict:  # pylint: disable=no-self-use
         """this allows connectors to override the default behavior"""
-        return get_data(remote_id)
+        return get_data(remote_id, is_activitypub=False)
 
     def create_edition_from_data(
         self,
@@ -310,8 +310,13 @@ def get_data(
     url: str,
     params: Optional[dict[str, str]] = None,
     timeout: int = settings.QUERY_TIMEOUT,
+    is_activitypub: bool = True,
 ) -> JsonDict:
     """wrapper for request.get"""
+    # make sure this isn't a forbidden federated request
+    if is_activitypub:
+        models.SiteSettings.objects.get().raise_federation_disabled()
+
     # check if the url is blocked
     raise_not_valid_url(url)
 
diff --git a/bookwyrm/connectors/inventaire.py b/bookwyrm/connectors/inventaire.py
index 249f6b9ca..c5f8f910d 100644
--- a/bookwyrm/connectors/inventaire.py
+++ b/bookwyrm/connectors/inventaire.py
@@ -66,7 +66,7 @@ class Connector(AbstractConnector):
         return f"{self.books_url}?action=by-uris&uris={value}"
 
     def get_book_data(self, remote_id: str) -> JsonDict:
-        data = get_data(remote_id)
+        data = get_data(remote_id, is_activitypub=False)
         extracted = list(data.get("entities", {}).values())
         try:
             data = extracted[0]
@@ -128,7 +128,7 @@ class Connector(AbstractConnector):
         """get a list of editions for a work"""
         # pylint: disable=line-too-long
         url = f"{self.books_url}?action=reverse-claims&property=wdt:P629&value={work_uri}&sort=true"
-        return get_data(url)
+        return get_data(url, is_activitypub=False)
 
     def get_edition_from_work_data(self, data: JsonDict) -> JsonDict:
         work_uri = data.get("uri")
@@ -226,7 +226,7 @@ class Connector(AbstractConnector):
             return ""
         url = f"{self.base_url}/api/data?action=wp-extract&lang=en&title={link}"
         try:
-            data = get_data(url)
+            data = get_data(url, is_activitypub=False)
         except ConnectorException:
             return ""
         return str(data.get("extract", ""))
diff --git a/bookwyrm/connectors/openlibrary.py b/bookwyrm/connectors/openlibrary.py
index 4dc6d6ac1..6c73bc338 100644
--- a/bookwyrm/connectors/openlibrary.py
+++ b/bookwyrm/connectors/openlibrary.py
@@ -99,10 +99,10 @@ class Connector(AbstractConnector):
         ]
 
     def get_book_data(self, remote_id: str) -> JsonDict:
-        data = get_data(remote_id)
+        data = get_data(remote_id, is_activitypub=False)
         if data.get("type", {}).get("key") == "/type/redirect":
             remote_id = self.base_url + data.get("location", "")
-            return get_data(remote_id)
+            return get_data(remote_id, is_activitypub=False)
         return data
 
     def get_remote_id_from_data(self, data: JsonDict) -> str:
diff --git a/bookwyrm/models/site.py b/bookwyrm/models/site.py
index 327838472..9abd36517 100644
--- a/bookwyrm/models/site.py
+++ b/bookwyrm/models/site.py
@@ -266,7 +266,7 @@ def preview_image(instance, *args, **kwargs):
 def check_for_updates_task():
     """See if git remote knows about a new version"""
     site = SiteSettings.objects.get()
-    release = get_data(RELEASE_API, timeout=3)
+    release = get_data(RELEASE_API, timeout=3, is_activitypub=False)
     available_version = release.get("tag_name", None)
     if available_version:
         site.available_version = available_version
diff --git a/bookwyrm/views/helpers.py b/bookwyrm/views/helpers.py
index d89e195ca..f768d5fcf 100644
--- a/bookwyrm/views/helpers.py
+++ b/bookwyrm/views/helpers.py
@@ -63,6 +63,9 @@ def is_bookwyrm_request(request):
 
 def handle_remote_webfinger(query, unknown_only=False, refresh=False):
     """webfingerin' other servers"""
+    # SHOULD we do a remote webfinger? Is it allowed?
+    models.SiteSettings.objects.get().raise_federation_disabled()
+
     user = None
 
     # usernames could be @user@domain or user@domain
@@ -107,6 +110,9 @@ def handle_remote_webfinger(query, unknown_only=False, refresh=False):
 
 def subscribe_remote_webfinger(query):
     """get subscribe template from other servers"""
+    # SHOULD we do a remote webfinger? Is it allowed?
+    models.SiteSettings.objects.get().raise_federation_disabled()
+
     template = None
     # usernames could be @user@domain or user@domain
     if not query:
diff --git a/bookwyrm/views/search.py b/bookwyrm/views/search.py
index 95845db64..67f742fcf 100644
--- a/bookwyrm/views/search.py
+++ b/bookwyrm/views/search.py
@@ -3,6 +3,7 @@
 import re
 
 from django.contrib.postgres.search import TrigramSimilarity, SearchRank, SearchQuery
+from django.core.exceptions import PermissionDenied
 from django.core.paginator import Paginator
 from django.db.models import F
 from django.db.models.functions import Greatest
@@ -129,7 +130,10 @@ def user_search(request):
     # use webfinger for mastodon style account@domain.com username to load the user if
     # they don't exist locally (handle_remote_webfinger will check the db)
     if re.match(regex.FULL_USERNAME, query) and viewer.is_authenticated:
-        handle_remote_webfinger(query)
+        try:
+            handle_remote_webfinger(query)
+        except PermissionDenied:
+            return TemplateResponse(request, "search/user.html", data)
 
     results = (
         models.User.viewer_aware_objects(viewer)