diff --git a/authmate/authmate.go b/authmate/authmate.go
index 73c8dfd3..456232d1 100644
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@@ -336,7 +336,7 @@ func buildEACLTable(eaclTable []byte) (*eacl.Table, error) {
 }
 
 func restrictedRecords() (records []*eacl.Record) {
-	for op := eacl.OperationGet; op <= eacl.OperationRangeHash; op++ {
+	for op := eacl.OperationHead; op <= eacl.OperationRangeHash; op++ {
 		record := eacl.NewRecord()
 		record.SetOperation(op)
 		record.SetAction(eacl.ActionDeny)
diff --git a/docs/authmate.md b/docs/authmate.md
index 86eabe5d..5206eafe 100644
--- a/docs/authmate.md
+++ b/docs/authmate.md
@@ -225,7 +225,6 @@ If bearer rules are not set, a token will be auto-generated with a value:
     "records": [
        {"operation": "GET", "action": "ALLOW", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
 
-       {"operation": "GET", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
        {"operation": "HEAD", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
        {"operation": "PUT", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},
        {"operation": "DELETE", "action": "DENY", "filters": [], "targets": [{"role": "OTHERS", "keys": []}]},