diff --git a/lib/controllers/boxesController.js b/lib/controllers/boxesController.js
index 6b57f1e7..6d12fe07 100644
--- a/lib/controllers/boxesController.js
+++ b/lib/controllers/boxesController.js
@@ -17,7 +17,8 @@ const restify = require('restify'),
     parseAndValidateTimeParams,
     GET_DATA_MULTI_DEFAULT_COLUMNS,
     GET_DATA_MULTI_ALLOWED_COLUMNS,
-    validateBboxParam
+    validateBboxParam,
+    checkBoxIdOwner
   } = require('../requestUtils'),
   { point } = require('@turf/helpers'),
   outlierTransformer = require('../statistics').outlierTransformer,
@@ -857,9 +858,13 @@ module.exports = {
     retrieveParameters([
       { name: 'password', dataType: 'String', required: true }
     ]),
+    checkBoxIdOwner,
     deleteBox
   ],
-  getScript,
+  getScript: [
+    checkBoxIdOwner,
+    getScript
+  ],
   getData: [
     retrieveParameter('format', 'String', 'json', ['json', 'csv']),
     retrieveParameter('download', 'String', false, ['true', 'false']),
@@ -894,6 +899,7 @@ module.exports = {
       { name: 'sensors', dataType: ['object'] },
       { name: 'addons', dataType: 'object' }
     ]),
+    checkBoxIdOwner,
     updateBox
   ],
   getMeasurements,
diff --git a/lib/controllers/sensorsController.js b/lib/controllers/sensorsController.js
index 4b54580d..3ed43481 100644
--- a/lib/controllers/sensorsController.js
+++ b/lib/controllers/sensorsController.js
@@ -117,6 +117,7 @@ module.exports = {
       { name: 'timestamps', dataType: ['ISO8601'] }
     ]),
     requestUtils.parseAndValidateTimeParamsOptional,
+    requestUtils.checkBoxIdOwner,
     deleteSensorData
   ]
 };
diff --git a/lib/models/user.js b/lib/models/user.js
index 252d35e8..93949b93 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -371,20 +371,26 @@ userSchema.methods.addBox = function addBox (params) {
     });
 };
 
-userSchema.methods.removeBox = function removeBox (boxId) {
+userSchema.methods.checkBoxOwner = function checkBoxOwner (boxId) {
   const user = this;
 
   // first check if the box belongs to this user
   if (!user.boxes) {
-    return Promise.reject(new Error('user does not own this senseBox'));
+    throw new ModelError('User does not own this senseBox', { type: 'ForbiddenError' });
   }
 
   const userOwnsBox = user.boxes.some(b => b.equals(boxId));
 
   if (userOwnsBox === false) {
-    return Promise.reject(new Error('user does not own this senseBox'));
+    throw new ModelError('User does not own this senseBox', { type: 'ForbiddenError' });
   }
 
+  return true;
+};
+
+userSchema.methods.removeBox = function removeBox (boxId) {
+  const user = this;
+
   return Box.findById(boxId)
     .exec()
     .then(function (box) {
diff --git a/lib/requestUtils.js b/lib/requestUtils.js
index d67e56c8..ca1f0d91 100644
--- a/lib/requestUtils.js
+++ b/lib/requestUtils.js
@@ -576,6 +576,16 @@ const clearCache = function clearCache (identifiers) {
   }
 };
 
+const checkBoxIdOwner = function checkBoxIdOwner (req, res, next) {
+  try {
+    req.user.checkBoxOwner(req._userParams.boxId);
+
+    return next();
+  } catch (err) {
+    return next(new restify.ForbiddenError(err.message));
+  }
+};
+
 module.exports = {
   checkContentType,
   validateIdParams,
@@ -591,5 +601,6 @@ module.exports = {
   GET_DATA_MULTI_ALLOWED_COLUMNS: ['createdAt', 'value', 'lat', 'lon', 'unit', 'boxId', 'sensorId', 'phenomenon', 'sensorType', 'boxName', 'exposure'],
   setHoneybadgerContext,
   addCache,
-  clearCache
+  clearCache,
+  checkBoxIdOwner
 };