diff --git a/combo/apps/dashboard/views.py b/combo/apps/dashboard/views.py
index 460693fe..5b176c6c 100644
--- a/combo/apps/dashboard/views.py
+++ b/combo/apps/dashboard/views.py
@@ -21,7 +21,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse
 from django.db.models import Max, Min
-from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect
+from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect, HttpResponseNotAllowed
 from django.utils.encoding import force_text
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
@@ -111,6 +111,9 @@ dashboard_remove_tile = DashboardRemoveTileView.as_view()
 
 @csrf_exempt
 def dashboard_auto_tile(request, *args, **kwargs):
+    if request.method != 'POST':
+        return HttpResponseNotAllowed(['post'])
+
     dashboard = DashboardCell.objects.all()[0]
     cell = ConfigJsonCell(key=kwargs.get('key'), order=1,
             page_id=dashboard.page_id, placeholder='_auto_tile')
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index e963287c..636e7260 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -214,6 +214,10 @@ def test_auto_tile(app, site):
                     params=json.dumps({'var2': 'two'}),
                     content_type='application/json', status=400)
 
+            # and with a GET instead of POST
+            resp = app.get(reverse('combo-dashboard-auto-tile', kwargs={'key': 'test-config-json-cell'}),
+                    status=405)
+
 
 def test_clean_autotiles(app, site):
     appconfig = apps.get_app_config('dashboard')