diff --git a/envknob/envknob.go b/envknob/envknob.go
index 18665f7f5..564d29d1c 100644
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -264,13 +264,18 @@ func LookupInt(envVar string) (v int, ok bool) {
 // of Work-In-Progress code.
 func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }
 
-// CanSSHD is whether the Tailscale SSH server is allowed to run.
+// CanSSHD reports whether the Tailscale SSH server is allowed to run.
 //
-// If disabled, the SSH server won't start (won't intercept port 22)
-// if already enabled and any attempt to re-enable it will result in
-// an error.
+// If disabled (when this reports false), the SSH server won't start (won't
+// intercept port 22) if previously configured to do so and any attempt to
+// re-enable it will result in an error.
 func CanSSHD() bool { return !Bool("TS_DISABLE_SSH_SERVER") }
 
+// CanTaildrop reports whether the Taildrop feature is allowed to function.
+//
+// If disabled, Taildrop won't receive files regardless of user & server config.
+func CanTaildrop() bool { return !Bool("TS_DISABLE_TAILDROP") }
+
 // SSHPolicyFile returns the path, if any, to the SSHPolicy JSON file for development.
 func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
 
diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
index c81848100..579c697ce 100644
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -94,10 +94,6 @@ const (
 	deletedSuffix = ".deleted"
 )
 
-func (s *peerAPIServer) canReceiveFiles() bool {
-	return s != nil && s.rootDir != ""
-}
-
 func validFilenameRune(r rune) bool {
 	switch r {
 	case '/':
@@ -861,6 +857,10 @@ func (h *peerAPIHandler) peerHasCap(wantCap string) bool {
 }
 
 func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
+	if !envknob.CanTaildrop() {
+		http.Error(w, "Taildrop disabled on device", http.StatusForbidden)
+		return
+	}
 	if !h.canPutFile() {
 		http.Error(w, "Taildrop access denied", http.StatusForbidden)
 		return