diff --git a/x-pack/plugins/fleet/common/types/index.ts b/x-pack/plugins/fleet/common/types/index.ts
index 6eb31fd79aa773..fe34b36f7781f8 100644
--- a/x-pack/plugins/fleet/common/types/index.ts
+++ b/x-pack/plugins/fleet/common/types/index.ts
@@ -34,6 +34,7 @@ export interface FleetConfigType {
   agentIdVerificationEnabled?: boolean;
   developer?: {
     disableRegistryVersionCheck?: boolean;
+    allowAgentUpgradeSourceUri?: boolean;
   };
 }
 
diff --git a/x-pack/plugins/fleet/server/index.ts b/x-pack/plugins/fleet/server/index.ts
index f66bf00a5a054c..7bf3ca161f4eeb 100644
--- a/x-pack/plugins/fleet/server/index.ts
+++ b/x-pack/plugins/fleet/server/index.ts
@@ -96,6 +96,7 @@ export const config: PluginConfigDescriptor = {
     agentIdVerificationEnabled: schema.boolean({ defaultValue: true }),
     developer: schema.object({
       disableRegistryVersionCheck: schema.boolean({ defaultValue: false }),
+      allowAgentUpgradeSourceUri: schema.boolean({ defaultValue: false }),
     }),
   }),
 };
diff --git a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts
index 52f62037f61e65..bf386e7f463a7a 100644
--- a/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts
+++ b/x-pack/plugins/fleet/server/routes/agent/upgrade_handler.ts
@@ -28,6 +28,7 @@ export const postAgentUpgradeHandler: RequestHandler<
   const kibanaVersion = appContextService.getKibanaVersion();
   try {
     checkVersionIsSame(version, kibanaVersion);
+    checkSourceUriAllowed(sourceUri);
   } catch (err) {
     return response.customError({
       statusCode: 400,
@@ -82,6 +83,7 @@ export const postBulkAgentsUpgradeHandler: RequestHandler<
   const kibanaVersion = appContextService.getKibanaVersion();
   try {
     checkVersionIsSame(version, kibanaVersion);
+    checkSourceUriAllowed(sourceUri);
   } catch (err) {
     return response.customError({
       statusCode: 400,
@@ -127,3 +129,11 @@ export const checkVersionIsSame = (version: string, kibanaVersion: string) => {
       `cannot upgrade agent to ${versionToUpgradeNumber} because it is different than the installed kibana version ${kibanaVersionNumber}`
     );
 };
+
+const checkSourceUriAllowed = (sourceUri?: string) => {
+  if (sourceUri && !appContextService.getConfig()?.developer?.allowAgentUpgradeSourceUri) {
+    throw new Error(
+      `source_uri is not allowed or recommended in production. Set xpack.fleet.developer.allowAgentUpgradeSourceUri in kibana.yml to enable.`
+    );
+  }
+};
diff --git a/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts b/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts
index 8708b035050ccd..8901c3166ca143 100644
--- a/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts
+++ b/x-pack/test/fleet_api_integration/apis/agents/upgrade.ts
@@ -57,7 +57,6 @@ export default function (providerContext: FtrProviderContext) {
           .set('kbn-xsrf', 'xxx')
           .send({
             version: kibanaVersion,
-            source_uri: 'http://path/to/download',
           })
           .expect(200);
 
@@ -160,9 +159,23 @@ export default function (providerContext: FtrProviderContext) {
           .set('kbn-xsrf', 'xxx')
           .send({
             version: higherVersion,
+          })
+          .expect(400);
+      });
+      it('should respond 400 if trying to upgrade with source_uri set', async () => {
+        const kibanaVersion = await kibanaServer.version.get();
+        const res = await supertest
+          .post(`/api/fleet/agents/agent1/upgrade`)
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            version: kibanaVersion,
             source_uri: 'http://path/to/download',
           })
           .expect(400);
+
+        expect(res.body.message).to.eql(
+          `source_uri is not allowed or recommended in production. Set xpack.fleet.developer.allowAgentUpgradeSourceUri in kibana.yml to enable.`
+        );
       });
       it('should respond 400 if trying to upgrade an agent that is unenrolling', async () => {
         const kibanaVersion = await kibanaServer.version.get();
@@ -545,6 +558,43 @@ export default function (providerContext: FtrProviderContext) {
           .expect(400);
       });
 
+      it('should respond 400 if trying to bulk upgrade to a version that does not match installed kibana version', async () => {
+        const kibanaVersion = await kibanaServer.version.get();
+        await es.update({
+          id: 'agent1',
+          refresh: 'wait_for',
+          index: AGENTS_INDEX,
+          body: {
+            doc: {
+              local_metadata: { elastic: { agent: { upgradeable: true, version: '0.0.0' } } },
+            },
+          },
+        });
+        await es.update({
+          id: 'agent2',
+          refresh: 'wait_for',
+          index: AGENTS_INDEX,
+          body: {
+            doc: {
+              local_metadata: { elastic: { agent: { upgradeable: true, version: '0.0.0' } } },
+            },
+          },
+        });
+        const res = await supertest
+          .post(`/api/fleet/agents/bulk_upgrade`)
+          .set('kbn-xsrf', 'xxx')
+          .send({
+            agents: ['agent1', 'agent2'],
+            version: kibanaVersion,
+            source_uri: 'http://path/to/download',
+            force: true,
+          })
+          .expect(400);
+        expect(res.body.message).to.eql(
+          `source_uri is not allowed or recommended in production. Set xpack.fleet.developer.allowAgentUpgradeSourceUri in kibana.yml to enable.`
+        );
+      });
+
       it('enrolled in a hosted agent policy bulk upgrade should respond with 200 and object of results. Should not update the hosted agent SOs', async () => {
         // move agent2 to policy2 to keep it regular
         await supertest.put(`/api/fleet/agents/agent2/reassign`).set('kbn-xsrf', 'xxx').send({