diff --git a/wavesrv/cmd/main-server.go b/wavesrv/cmd/main-server.go
index a1c28b710..d7433246f 100644
--- a/wavesrv/cmd/main-server.go
+++ b/wavesrv/cmd/main-server.go
@@ -683,6 +683,24 @@ func HandleRunCommand(w http.ResponseWriter, r *http.Request) {
 	WriteJsonSuccess(w, update)
 }
 
+func AuthKeyMiddleWare(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reqAuthKey := r.Header.Get("X-AuthKey")
+		if reqAuthKey == "" {
+			w.WriteHeader(500)
+			w.Write([]byte("no x-authkey header"))
+			return
+		}
+		if reqAuthKey != GlobalAuthKey {
+			w.WriteHeader(500)
+			w.Write([]byte("x-authkey header is invalid"))
+			return
+		}
+		w.Header().Set(CacheControlHeaderKey, CacheControlHeaderNoCache)
+		next.ServeHTTP(w, r)
+	})
+}
+
 func AuthKeyWrap(fn WebFnType) WebFnType {
 	return func(w http.ResponseWriter, r *http.Request) {
 		reqAuthKey := r.Header.Get("X-AuthKey")
@@ -911,7 +929,10 @@ func main() {
 	gr.HandleFunc("/api/log-active-state", AuthKeyWrap(HandleLogActiveState))
 	gr.HandleFunc("/api/read-file", AuthKeyWrap(HandleReadFile))
 	gr.HandleFunc("/api/write-file", AuthKeyWrap(HandleWriteFile)).Methods("POST")
-	gr.HandleFunc("/api/config", AuthKeyWrap(HandleConfig))
+	configPath := path.Join(scbase.GetWaveHomeDir(), "config") + "/"
+	log.Printf("config path: %v\n", configPath)
+	gr.PathPrefix("/config/").Handler(AuthKeyMiddleWare(http.StripPrefix("/config/", http.FileServer(http.Dir(configPath)))))
+
 	serverAddr := MainServerAddr
 	if scbase.IsDevMode() {
 		serverAddr = MainServerDevAddr