diff --git a/tests/py/test_is_suspicious.py b/tests/py/test_is_suspicious.py
index bbf5512282..d5fe9fe998 100644
--- a/tests/py/test_is_suspicious.py
+++ b/tests/py/test_is_suspicious.py
@@ -10,7 +10,7 @@ def setUp(self):
         self.bar = self.make_participant('bar', is_admin=True)
 
     def toggle_is_suspicious(self):
-        self.client.GET('/~foo/toggle-is-suspicious.json', auth_as='bar')
+        self.client.POST('/~foo/toggle-is-suspicious.json', auth_as='bar')
 
     def test_that_is_suspicious_defaults_to_None(self):
         foo = self.make_participant('foo', claimed_time='now')
diff --git a/www/dashboard/index.spt b/www/dashboard/index.spt
index 0e01fb3a77..163a3170a7 100644
--- a/www/dashboard/index.spt
+++ b/www/dashboard/index.spt
@@ -54,7 +54,7 @@ title = _("Fraud Review Dashboard")
             var row = $(this).parent();
             var to = $(this).text() !== 'Good';
             var username = row.attr('username');
-            var url = "/" + username + "/toggle-is-suspicious.json";
+            var url = "/~" + username + "/toggle-is-suspicious.json";
 
             function success()
             {
diff --git a/www/~/%username/toggle-is-suspicious.json.spt b/www/~/%username/toggle-is-suspicious.json.spt
index a5362578b5..1549eeabb7 100644
--- a/www/~/%username/toggle-is-suspicious.json.spt
+++ b/www/~/%username/toggle-is-suspicious.json.spt
@@ -5,6 +5,8 @@ from gratipay.utils import get_participant
 if not user.ADMIN:
     raise Response(400)
 
+request.allow('POST')
+
 to = request.body.get('to')
 if not to in ('true', 'false', None):
     raise Response(400)