diff --git a/server/server.go b/server/server.go
index 64232ab..f538289 100644
--- a/server/server.go
+++ b/server/server.go
@@ -400,7 +400,7 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 	} else if (r.Method == http.MethodGet || r.Method == http.MethodHead) && fileRegex.MatchString(r.URL.Path) && s.config.AttachmentCacheDir != "" {
 		return s.limitRequests(s.handleFile)(w, r, v)
 	} else if r.Method == http.MethodOptions {
-		return s.ensureWebEnabled(s.handleOptions)(w, r, v)
+		return s.limitRequests(s.handleOptions)(w, r, v) // Should work even if the web app is not enabled, see #598
 	} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && r.URL.Path == "/" {
 		return s.limitRequests(s.transformBodyJSON(s.authorizeTopicWrite(s.handlePublish)))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == matrixPushPath {
diff --git a/server/server_account_test.go b/server/server_account_test.go
index a26bfc9..fb1cb40 100644
--- a/server/server_account_test.go
+++ b/server/server_account_test.go
@@ -263,7 +263,7 @@ func TestAccount_ChangePassword(t *testing.T) {
 		"Authorization": util.BasicAuth("phil", "phil"),
 	})
 	require.Equal(t, 400, rr.Code)
-	require.Equal(t, 40030, toHTTPError(t, rr.Body.String()).Code)
+	require.Equal(t, 40026, toHTTPError(t, rr.Body.String()).Code)
 
 	rr = request(t, s, "POST", "/v1/account/password", `{"password": "phil", "new_password": "new password"}`, map[string]string{
 		"Authorization": util.BasicAuth("phil", "phil"),
@@ -414,7 +414,7 @@ func TestAccount_Delete_Not_Allowed(t *testing.T) {
 		"Authorization": util.BasicAuth("phil", "mypass"),
 	})
 	require.Equal(t, 400, rr.Code)
-	require.Equal(t, 40030, toHTTPError(t, rr.Body.String()).Code)
+	require.Equal(t, 40026, toHTTPError(t, rr.Body.String()).Code)
 }
 
 func TestAccount_Reservation_AddWithoutTierFails(t *testing.T) {