diff --git a/client.inc.php b/client.inc.php
index 2ad4d4702139d68e589dd917acfcedd4ca28f30d..63d7d12243c130ded357a7fe59f9d7a6024a5667 100644
--- a/client.inc.php
+++ b/client.inc.php
@@ -22,6 +22,10 @@ require_once($thisdir.'main.inc.php');
 
 if(!defined('INCLUDE_DIR')) die('Fatal error');
 
+// Enforce ACL (if applicable)
+if (!Validator::check_acl('client'))
+    die(__('Access Denied'));
+
 /*Some more include defines specific to client only */
 define('CLIENTINC_DIR',INCLUDE_DIR.'client/');
 define('OSTCLIENTINC',TRUE);
diff --git a/include/client/header.inc.php b/include/client/header.inc.php
index aa619f9791e2aa6320449226b2e093deedc1d28b..e823bd01398c79b510bf8358b535b7b0ade8d3a7 100644
--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -8,10 +8,6 @@ $signout_url = ROOT_PATH . "logout.php?auth=".$ost->getLinkToken();
 header("Content-Type: text/html; charset=UTF-8");
 header("Content-Security-Policy: frame-ancestors '".$cfg->getAllowIframes()."';");
 
-// Enforce ACL (if applicable)
-if (!Validator::check_acl('client'))
-    die(__('Access Denied'));
-
 if (($lang = Internationalization::getCurrentLanguage())) {
     $langs = array_unique(array($lang, $cfg->getPrimaryLanguage()));
     $langs = Internationalization::rfc1766($langs);
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index cbe42e3443bf0c58f71829d3cf743c9f3d15146c..d04d9f53f2c476eecdc983a58d761bcfb42ff65a 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -2,10 +2,6 @@
 header("Content-Type: text/html; charset=UTF-8");
 header("Content-Security-Policy: frame-ancestors ".$cfg->getAllowIframes().";");
 
-// Enforce ACL (if applicable)
-if (!Validator::check_acl('staff'))
-    die(__('Access Denied'));
-
 $title = ($ost && ($title=$ost->getPageTitle()))
     ? $title : ('osTicket :: '.__('Staff Control Panel'));
 
diff --git a/scp/staff.inc.php b/scp/staff.inc.php
index 8acf73ceabfe35f2e2f054eb019230ebbd5821c0..da4c5a382bb57b2d6f84cdf5d21259f826ca81cd 100644
--- a/scp/staff.inc.php
+++ b/scp/staff.inc.php
@@ -21,6 +21,10 @@ require_once('../main.inc.php');
 
 if(!defined('INCLUDE_DIR')) die('Fatal error... invalid setting.');
 
+// Enforce ACL (if applicable)
+if (!Validator::check_acl('staff'))
+    die(__('Access Denied'));
+
 /*Some more include defines specific to staff only */
 define('STAFFINC_DIR',INCLUDE_DIR.'staff/');
 define('SCP_DIR',str_replace('//','/',dirname(__FILE__).'/'));