diff --git a/barbican/api/controllers/secrets.py b/barbican/api/controllers/secrets.py
index a47d6a8da..f0530adcc 100644
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@@ -78,8 +78,15 @@ class SecretController(controllers.ACLMixin):
                 return secretmeta.SecretMetadataController(self.secret), \
                     remainder
             else:
-                return secretmeta.SecretMetadatumController(self.secret), \
-                    remainder
+                request_method = pecan.request.method
+                allowed_methods = ['GET', 'PUT', 'DELETE']
+
+                if request_method in allowed_methods:
+                    return secretmeta.SecretMetadatumController(self.secret), \
+                        remainder
+                else:
+                    # methods cannot be handled at controller level
+                    pecan.abort(405)
         else:
             # only 'acl' and 'metadata' as sub-resource is supported
             pecan.abort(405)
diff --git a/barbican/tests/api/controllers/test_secretmeta.py b/barbican/tests/api/controllers/test_secretmeta.py
index bc6bc9d15..5d48127d1 100644
--- a/barbican/tests/api/controllers/test_secretmeta.py
+++ b/barbican/tests/api/controllers/test_secretmeta.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2016 IBM
+# Copyright (c) 2017 IBM
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -255,6 +255,21 @@ class WhenTestingSecretMetadatumResource(utils.BarbicanAPIBaseTestCase):
                                expect_errors=True)
         self.assertEqual(405, resp.status_int)
 
+    @mock.patch('barbican.model.repositories.SecretUserMetadatumRepo.'
+                'get_metadata_for_secret')
+    def test_returns_405_for_head_on_metadatum(self, mocked_get):
+        secret_id, secret_resp = create_secret(self.app)
+
+        mocked_get.return_value = self.valid_metadata['metadata']
+        meta_resp = create_secret_metadatum(self.app,
+                                            self.valid_metadatum,
+                                            secret_id)
+        self.assertEqual(201, meta_resp.status_int)
+
+        resp = self.app.head('/secrets/{0}/metadata/access-limit'.format(
+            secret_id), expect_errors=True)
+        self.assertEqual(405, resp.status_int)
+
 
 # ----------------------- Helper Functions ---------------------------
 def create_secret(app, name=None, algorithm=None, bit_length=None, mode=None,