diff --git a/docs/changelog.rst b/docs/changelog.rst
index f39c41584..7338282f5 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -335,6 +335,9 @@ Fixes:
 * :doc:`/plugins/chroma`: Fixed submitting AcoustID information for tracks
   that already have a fingerprint.
   :bug:`3834`
+* :doc:`/plugins/web`: DELETE and PATCH methods are disallowed by default.
+  Set ``readonly: no`` web config option to enable them.
+  :bug:`3870`
 
 For plugin developers:
 
diff --git a/docs/plugins/web.rst b/docs/plugins/web.rst
index 16dd43174..3a7e6d122 100644
--- a/docs/plugins/web.rst
+++ b/docs/plugins/web.rst
@@ -66,6 +66,8 @@ configuration file. The available options are:
   Default: false.
 - **include_paths**: If true, includes paths in item objects.
   Default: false.
+- **readonly**: If true, DELETE and PATCH operations are not allowed. Only GET is permitted.
+  Default: true.
 
 Implementation
 --------------
@@ -189,6 +191,8 @@ code.
 Removes the item with id *6* from the beets library. If the *?delete* query string is included,
 the matching file will be deleted from disk.
 
+Only allowed if ``readonly`` configuration option is set to ``no``.
+
 ``PATCH /item/6``
 ++++++++++++++++++
 
@@ -203,6 +207,8 @@ Returns the updated JSON representation. ::
       ...
     }
 
+Only allowed if ``readonly`` configuration option is set to ``no``.
+
 ``GET /item/6,12,13``
 +++++++++++++++++++++
 
@@ -279,6 +285,7 @@ or ``/album/5,7``. In addition we can request the cover art of an album with
 ``GET /album/5/art``.
 You can also add the '?expand' flag to get the individual items of an album.
 
+``DELETE`` is only allowed if ``readonly`` configuration option is set to ``no``.
 
 ``GET /stats``
 ++++++++++++++