diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 5ea61f2badc..3ea48ad1d87 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -103,7 +103,21 @@ class SessionController < ApplicationController
     skip_before_action :check_xhr, only: [:become]
 
     def become
+
       raise Discourse::InvalidAccess if Rails.env.production?
+
+      if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
+        render(content_type: 'text/plain', inline: <<~TEXT)
+          To enable impersonating any user without typing passwords set the following ENV var
+
+          export DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE=1
+
+          You can do that in your bashrc of bash profile file or the script you use to launch the web server
+        TEXT
+
+        return
+      end
+
       user = User.find_by_username(params[:session_id])
       raise "User #{params[:session_id]} not found" if user.blank?