diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 68c4f3962a8..662d22974dd 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -92,7 +92,7 @@ class Api::BaseController < ApplicationController
   end
 
   def disallow_unauthenticated_api_access?
-    ENV['DISALLOW_UNAUTHENTICATED_API_ACCESS'] == 'true' || Rails.configuration.x.mastodon.limited_federation_mode
+    Rails.configuration.x.mastodon.disallow_unauthenticated_api_access || Rails.configuration.x.mastodon.limited_federation_mode
   end
 
   private
diff --git a/app/serializers/webfinger_serializer.rb b/app/serializers/webfinger_serializer.rb
index 4fa9c6631ff..976d641c47d 100644
--- a/app/serializers/webfinger_serializer.rb
+++ b/app/serializers/webfinger_serializer.rb
@@ -30,12 +30,15 @@ class WebfingerSerializer < ActiveModel::Serializer
   private
 
   def show_avatar?
-    media_present = object.avatar.present? && object.avatar.content_type.present?
+    media_present? && config_allows_public_access?
+  end
 
-    # Show avatar only if an instance shows profiles to logged out users
-    allowed_by_config = ENV['DISALLOW_UNAUTHENTICATED_API_ACCESS'] != 'true' && !Rails.configuration.x.mastodon.limited_federation_mode
+  def media_present?
+    object.avatar.present? && object.avatar.content_type.present?
+  end
 
-    media_present && allowed_by_config
+  def config_allows_public_access?
+    !Rails.configuration.x.mastodon.disallow_unauthenticated_api_access && !Rails.configuration.x.mastodon.limited_federation_mode
   end
 
   def profile_page_href
diff --git a/config/mastodon.yml b/config/mastodon.yml
index 4585e1f2aee..80e0c73f36f 100644
--- a/config/mastodon.yml
+++ b/config/mastodon.yml
@@ -1,5 +1,6 @@
 ---
 shared:
+  disallow_unauthenticated_api_access: <%= ENV.fetch('DISALLOW_UNAUTHENTICATED_API_ACCESS', nil) == 'true' %>
   experimental_features: <%= ENV.fetch('EXPERIMENTAL_FEATURES', nil) %>
   limited_federation_mode: <%= (ENV.fetch('LIMITED_FEDERATION_MODE', nil) || ENV.fetch('WHITELIST_MODE', nil)) == 'true' %>
   self_destruct_value: <%= ENV.fetch('SELF_DESTRUCT', nil)&.to_json %>
diff --git a/spec/requests/cache_spec.rb b/spec/requests/cache_spec.rb
index 19406c284b7..011b5658132 100644
--- a/spec/requests/cache_spec.rb
+++ b/spec/requests/cache_spec.rb
@@ -555,9 +555,10 @@ RSpec.describe 'Caching behavior' do
 
   context 'when enabling DISALLOW_UNAUTHENTICATED_API_ACCESS' do
     around do |example|
-      ClimateControl.modify DISALLOW_UNAUTHENTICATED_API_ACCESS: 'true' do
-        example.run
-      end
+      original = Rails.configuration.x.mastodon.disallow_unauthenticated_api_access
+      Rails.configuration.x.mastodon.disallow_unauthenticated_api_access = true
+      example.run
+      Rails.configuration.x.mastodon.disallow_unauthenticated_api_access = original
     end
 
     context 'when anonymously accessed' do
diff --git a/spec/requests/well_known/webfinger_spec.rb b/spec/requests/well_known/webfinger_spec.rb
index 0c4a3c03474..c1393935c54 100644
--- a/spec/requests/well_known/webfinger_spec.rb
+++ b/spec/requests/well_known/webfinger_spec.rb
@@ -189,9 +189,10 @@ RSpec.describe 'The /.well-known/webfinger endpoint' do
 
     context 'when enabling DISALLOW_UNAUTHENTICATED_API_ACCESS' do
       around do |example|
-        ClimateControl.modify DISALLOW_UNAUTHENTICATED_API_ACCESS: 'true' do
-          example.run
-        end
+        original = Rails.configuration.x.mastodon.disallow_unauthenticated_api_access
+        Rails.configuration.x.mastodon.disallow_unauthenticated_api_access = true
+        example.run
+        Rails.configuration.x.mastodon.disallow_unauthenticated_api_access = original
       end
 
       it 'does not return avatar in response' do