diff --git a/src/routes/api/upload-secure.ts b/src/routes/api/upload-secure.ts
index b86c464..064c35a 100644
--- a/src/routes/api/upload-secure.ts
+++ b/src/routes/api/upload-secure.ts
@@ -1,10 +1,16 @@
-
 import { NextApiRequest, NextApiResponse } from 'next';
-export default async function handler(req: NextApiRequest, res: NextApiResponse) {
-    if (req.method === 'POST') {
-        // TODO: secure upload implementation
-        res.status(200).json({ message: 'Secure upload route ready' });
-    } else {
-        res.status(405).json({ error: 'Method not allowed' });
-    }
+
+/**
+ * Legacy Pages Router endpoint intentionally disabled.
+ *
+ * Security note:
+ * secure attachment uploads are only supported through the App Router
+ * endpoint at `app/api/upload-secure/route.ts`, which enforces fresh session,
+ * origin checks, authorization, and encrypted metadata handling.
+ */
+export default async function handler(_req: NextApiRequest, res: NextApiResponse) {
+  return res.status(410).json({
+    error: 'This legacy endpoint is disabled. Use /api/upload-secure.',
+    code: 'LEGACY_ENDPOINT_DISABLED',
+  });
 }
diff --git a/tests/legacy-upload-secure-route.test.ts b/tests/legacy-upload-secure-route.test.ts
new file mode 100644
index 0000000..23637c4
--- /dev/null
+++ b/tests/legacy-upload-secure-route.test.ts
@@ -0,0 +1,32 @@
+import { describe, expect, it } from 'vitest';
+import handler from '@/src/routes/api/upload-secure';
+
+function createMockResponse() {
+  const result: { statusCode?: number; body?: unknown } = {};
+  const res = {
+    status(code: number) {
+      result.statusCode = code;
+      return this;
+    },
+    json(body: unknown) {
+      result.body = body;
+      return this;
+    },
+  };
+
+  return { res, result };
+}
+
+describe('legacy upload-secure pages route', () => {
+  it('is permanently disabled to avoid bypassing secure app route controls', async () => {
+    const { res, result } = createMockResponse();
+
+    await handler({ method: 'POST' } as never, res as never);
+
+    expect(result.statusCode).toBe(410);
+    expect(result.body).toEqual({
+      error: 'This legacy endpoint is disabled. Use /api/upload-secure.',
+      code: 'LEGACY_ENDPOINT_DISABLED',
+    });
+  });
+});