diff --git a/pkg/api/dataproxy.go b/pkg/api/dataproxy.go
index dfdc867d4a4..bc286743533 100644
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/grafana/grafana/pkg/api/cloudwatch"
@@ -107,6 +108,13 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 
 	proxyPath := c.Params("*")
 
+	if ds.Type == m.DS_PROMETHEUS {
+		if !(c.Req.Request.Method == "GET" && strings.Index(proxyPath, "api/") == 0) {
+			c.JsonApiErr(403, "GET is only allowed on proxied Prometheus datasource", nil)
+			return
+		}
+	}
+
 	if ds.Type == m.DS_ES {
 		if c.Req.Request.Method == "DELETE" {
 			c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)