diff --git a/src/commands/app/dev/index.js b/src/commands/app/dev/index.js
index d71b631..9d0964d 100644
--- a/src/commands/app/dev/index.js
+++ b/src/commands/app/dev/index.js
@@ -163,6 +163,7 @@ class Dev extends BaseCommand {
     const runOptions = {
       skipActions: false,
       skipServe: false,
+      strictMode: flags.strict,
       parcel: {
         logLevel: flags.verbose ? 'verbose' : 'warn',
         // always set to false on localhost to get debugging and hot reloading
@@ -305,6 +306,10 @@ Dev.flags = {
     default: false,
     char: 'o'
   }),
+  strict: Flags.boolean({
+    description: 'Run in strict mode, this will block non-web actions from being run directly',
+    defaullt: false
+  }),
   extension: Flags.string({
     description: 'Run only a specific extension, this flag can only be specified once',
     char: 'e',
diff --git a/src/lib/run-dev.js b/src/lib/run-dev.js
index d90e39f..86b40f0 100644
--- a/src/lib/run-dev.js
+++ b/src/lib/run-dev.js
@@ -73,6 +73,8 @@ async function runDev (runOptions, config, _inprocHookRunner) {
   const hasBackend = devConfig.app.hasBackend
   const httpsSettings = runOptions?.parcel?.https
 
+  actionConfig.strictMode = runOptions.strictMode === true
+
   serveLogger.debug('hasBackend', hasBackend)
   serveLogger.debug('hasFrontend', hasFrontend)
   serveLogger.debug('httpsSettings', JSON.stringify(httpsSettings, null, 2))
@@ -508,8 +510,7 @@ async function serveWebAction (req, res, actionConfig, distFolder, actionLoader
     distFolder,
     contextActionLoader: actionLoader
   }
-
-  if (invoker && !sequence) {
+  if (invoker && !sequence && !actionConfig.strictMode) {
     if (!isWebAction(contextItem)) {
       actionLogger.warn('serving non-web action : this call will fail without credentials when deployed.')
     }