diff --git a/apps/ops/api/playbook.py b/apps/ops/api/playbook.py
index 322129b8b..43e609345 100644
--- a/apps/ops/api/playbook.py
+++ b/apps/ops/api/playbook.py
@@ -59,6 +59,8 @@ class PlaybookFileBrowserAPIView(APIView):
     rbac_perms = ()
     permission_classes = ()
 
+    protected_files = ['root', 'main.yml']
+
     def get(self, request, **kwargs):
         playbook_id = kwargs.get('pk')
         playbook = get_object_or_404(Playbook, id=playbook_id)
@@ -132,6 +134,10 @@ class PlaybookFileBrowserAPIView(APIView):
         work_path = playbook.work_dir
 
         file_key = request.data.get('key', '')
+
+        if file_key in self.protected_files:
+            return Response({'msg': '{} can not be modified'.format(file_key)}, status=400)
+
         if os.path.dirname(file_key) == 'root':
             file_key = os.path.basename(file_key)
 
@@ -154,15 +160,14 @@ class PlaybookFileBrowserAPIView(APIView):
         return Response({'msg': 'ok'})
 
     def delete(self, request, **kwargs):
-        not_delete_allowed = ['root', 'main.yml']
         playbook_id = kwargs.get('pk')
         playbook = get_object_or_404(Playbook, id=playbook_id)
         work_path = playbook.work_dir
         file_key = request.query_params.get('key', '')
         if not file_key:
-            return Response(status=400)
-        if file_key in not_delete_allowed:
-            return Response(status=400)
+            return Response({'msg': 'key is required'}, status=400)
+        if file_key in self.protected_files:
+            return Response({'msg': ' {} can not be delete'.format(file_key)}, status=400)
         file_path = os.path.join(work_path, file_key)
         if os.path.isdir(file_path):
             shutil.rmtree(file_path)