diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go
index 254a4641b..8b9a941e7 100644
--- a/cmd/typed-errors.go
+++ b/cmd/typed-errors.go
@@ -92,3 +92,6 @@ var errIAMActionNotAllowed = errors.New("Specified IAM action is not allowed und
 
 // error returned when access is denied.
 var errAccessDenied = errors.New("Do not have enough permissions to access this resource")
+
+// error returned when object is locked.
+var errLockedObject = errors.New("Object is WORM protected and cannot be overwritten or deleted")
diff --git a/cmd/web-handlers.go b/cmd/web-handlers.go
index 91a5511e7..5a2acb227 100644
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -719,6 +719,9 @@ next:
 			}
 
 			apiErr := enforceRetentionBypassForDeleteWeb(ctx, r, args.BucketName, objectName, getObjectInfo, govBypassPerms)
+			if apiErr == ErrObjectLocked {
+				return toJSONError(ctx, errLockedObject)
+			}
 			if apiErr != ErrNone && apiErr != ErrNoSuchKey {
 				return toJSONError(ctx, errAccessDenied)
 			}
@@ -2140,7 +2143,7 @@ func toWebAPIError(ctx context.Context, err error) APIError {
 			Description:    err.Error(),
 		}
 	case errAuthentication, auth.ErrInvalidAccessKeyLength,
-		auth.ErrInvalidSecretKeyLength, errInvalidAccessKeyID:
+		auth.ErrInvalidSecretKeyLength, errInvalidAccessKeyID, errAccessDenied, errLockedObject:
 		return APIError{
 			Code:           "AccessDenied",
 			HTTPStatusCode: http.StatusForbidden,