diff --git a/README.md b/README.md
index efe5db320..eb703f669 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,11 @@ The following experimental features are enabled by default:
 - `repl-flake` (`Xp::ReplFlake`)
 - `fetch-tree` (`Xp::FetchTree`)
 
+### Additional settings
+
+The following settings are added to this fork:
+- `reject-flake-config`: rejects all flake configuration (including whitelisted settings) and warns about it
+
 ### Full thunk evaluation in `flake.nix`
 
 In stock Nix, only the outputs section of `flake.nix` is able to make full use of the Nix language.
diff --git a/src/libexpr/flake/config.cc b/src/libexpr/flake/config.cc
index 3c7ed5d8a..05a29f2e0 100644
--- a/src/libexpr/flake/config.cc
+++ b/src/libexpr/flake/config.cc
@@ -51,6 +51,11 @@ void ConfigFile::apply()
         else
             assert(false);
 
+        if (nix::fetchSettings.rejectFlakeConfig) {
+            warn("ignoring untrusted flake configuration setting '%s' due to the '%s' setting.", name, "reject-flake-config");
+            continue;
+        }
+
         if (!whitelist.count(baseName) && !nix::fetchSettings.acceptFlakeConfig) {
             bool trusted = false;
             auto trustedList = readTrustedList();
diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh
index f095963a8..705ee16e6 100644
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@@ -87,6 +87,10 @@ struct FetchSettings : public Config
         "Whether to accept nix configuration from a flake without prompting.",
         {}, true, Xp::Flakes};
 
+    Setting<bool> rejectFlakeConfig{this, false, "reject-flake-config",
+        "Whether to reject nix configuration (including whitelisted settings) from a flake without prompting.",
+        {}, true, Xp::Flakes};
+
     Setting<std::string> commitLockFileSummary{
         this, "", "commit-lockfile-summary",
         R"(