diff --git a/src/dashboard.js b/src/dashboard.js
index 0c49b40a4..171895760 100644
--- a/src/dashboard.js
+++ b/src/dashboard.js
@@ -83,7 +83,7 @@ async function startPrepareLocation(domain, auditSource) {
 
     debug(`prepareLocation: ${domain}`);
 
-    if (constants.DEMO) throw new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const fqdn = dns.fqdn(constants.DASHBOARD_SUBDOMAIN, domain);
     const result = await apps.list();
@@ -118,7 +118,7 @@ async function setupLocation(subdomain, domain, auditSource) {
 
     debug(`setupLocation: ${domain}`);
 
-    if (constants.DEMO) throw new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     await reverseProxy.writeDashboardConfig(domain);
     await setLocation(subdomain, domain);
diff --git a/src/directoryserver.js b/src/directoryserver.js
index 4f7cb0bd5..8ff061bb5 100644
--- a/src/directoryserver.js
+++ b/src/directoryserver.js
@@ -90,7 +90,7 @@ async function setConfig(directoryServerConfig, auditSource) {
     assert.strictEqual(typeof directoryServerConfig, 'object');
     assert(auditSource && typeof auditSource === 'object');
 
-    if (constants.DEMO) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const oldConfig = await getConfig();
 
diff --git a/src/domains.js b/src/domains.js
index 2b984989a..fee265929 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -205,7 +205,7 @@ async function setConfig(domain, data, auditSource) {
     let { zoneName, provider, config, fallbackCertificate, tlsConfig } = data;
 
     const { domain:dashboardDomain } = await dashboard.getLocation();
-    if (constants.DEMO && (domain === dashboardDomain)) throw new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode');
+    if (constants.DEMO && (domain === dashboardDomain)) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const domainObject = await get(domain);
     if (zoneName) {
diff --git a/src/externalldap.js b/src/externalldap.js
index 8882f9b36..5c9b17501 100644
--- a/src/externalldap.js
+++ b/src/externalldap.js
@@ -74,7 +74,7 @@ async function setConfig(newConfig, auditSource) {
     assert.strictEqual(typeof newConfig, 'object');
     assert(auditSource && typeof auditSource === 'object');
 
-    if (constants.DEMO) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const currentConfig = await getConfig();
 
diff --git a/src/network.js b/src/network.js
index ae205d747..22a7b0df4 100644
--- a/src/network.js
+++ b/src/network.js
@@ -93,7 +93,7 @@ async function setBlocklist(blocklist, auditSource) {
     }
 
     if (count >= 262144) throw new BoxError(BoxError.CONFLICT, 'Blocklist is too large. Max 262144 entries are allowed'); // see the cloudron-firewall.sh
-    if (constants.DEMO) throw new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     // store in blob since the value field is TEXT and has 16kb size limit
     await settings.setBlob(settings.FIREWALL_BLOCKLIST_KEY, Buffer.from(blocklist));
@@ -125,7 +125,7 @@ async function getIPv4Config() {
 async function setIPv4Config(ipv4Config) {
     assert.strictEqual(typeof ipv4Config, 'object');
 
-    if (constants.DEMO) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const error = await testIPv4Config(ipv4Config);
     if (error) throw error;
@@ -141,7 +141,7 @@ async function getIPv6Config() {
 async function setIPv6Config(ipv6Config) {
     assert.strictEqual(typeof ipv6Config, 'object');
 
-    if (constants.DEMO) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const error = await testIPv6Config(ipv6Config);
     if (error) throw error;
diff --git a/src/users.js b/src/users.js
index 4265dd51c..1db75693f 100644
--- a/src/users.js
+++ b/src/users.js
@@ -417,7 +417,7 @@ async function del(user, auditSource) {
     assert.strictEqual(typeof user, 'object');
     assert(auditSource && typeof auditSource === 'object');
 
-    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const queries = [];
     queries.push({ query: 'DELETE FROM groupMembers WHERE userId = ?', args: [ user.id ] });
@@ -569,7 +569,7 @@ async function update(user, data, auditSource) {
     assert(!('active' in data) || (typeof data.active === 'boolean'));
     assert(!('loginLocations' in data) || (Array.isArray(data.loginLocations)));
 
-    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     let error, result;
 
@@ -752,7 +752,7 @@ async function setPassword(user, newPassword, auditSource) {
     let error = validatePassword(newPassword);
     if (error) throw error;
 
-    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
     if (user.source) throw new BoxError(BoxError.CONFLICT, 'User is from an external directory');
 
     let salt, derivedKey;
@@ -848,7 +848,7 @@ async function setTwoFactorAuthenticationSecret(userId, auditSource) {
     const user = await get(userId);
     if (!user) throw new BoxError(BoxError.NOT_FOUND, 'User not found');
 
-    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO && user.username === constants.DEMO_USERNAME) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     if (user.twoFactorAuthenticationEnabled) throw new BoxError(BoxError.ALREADY_EXISTS);
 
@@ -960,7 +960,7 @@ async function getProfileConfig() {
 async function setProfileConfig(profileConfig) {
     assert.strictEqual(typeof profileConfig, 'object');
 
-    if (constants.DEMO) throw new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode');
+    if (constants.DEMO) throw new BoxError(BoxError.BAD_STATE, 'Not allowed in demo mode');
 
     const oldConfig = await getProfileConfig();
     await settings.setJson(settings.PROFILE_CONFIG_KEY, profileConfig);