diff --git a/crates/cli/src/util.rs b/crates/cli/src/util.rs
index 5467275e..8f1d9fb3 100644
--- a/crates/cli/src/util.rs
+++ b/crates/cli/src/util.rs
@@ -135,6 +135,10 @@ pub fn site_config_from_config(
         password_login_enabled: password_config.enabled(),
         password_registration_enabled: password_config.enabled()
             && experimental_config.password_registration_enabled,
+        email_change_allowed: experimental_config.email_change_allowed,
+        displayname_change_allowed: experimental_config.displayname_change_allowed,
+        password_change_allowed: password_config.enabled()
+            && experimental_config.password_change_allowed,
     }
 }
 
diff --git a/crates/config/src/sections/experimental.rs b/crates/config/src/sections/experimental.rs
index 97b362e6..e53d5ba1 100644
--- a/crates/config/src/sections/experimental.rs
+++ b/crates/config/src/sections/experimental.rs
@@ -1,4 +1,4 @@
-// Copyright 2023 The Matrix.org Foundation C.I.C.
+// Copyright 2023, 2024 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ const fn is_default_true(value: &bool) -> bool {
 ///
 /// Do not change these options unless you know what you are doing.
 #[serde_as]
+#[allow(clippy::struct_excessive_bools)]
 #[derive(Clone, Debug, Deserialize, JsonSchema, Serialize)]
 pub struct ExperimentalConfig {
     /// Time-to-live of access tokens in seconds. Defaults to 5 minutes.
@@ -65,6 +66,20 @@ pub struct ExperimentalConfig {
     /// if password authentication is enabled.
     #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
     pub password_registration_enabled: bool,
+
+    /// Whether users are allowed to change their email addresses. Defaults to
+    /// `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub email_change_allowed: bool,
+
+    /// Whether users are allowed to change their display names. Defaults to
+    /// `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub displayname_change_allowed: bool,
+
+    /// Whether users are allowed to change their passwords. Defaults to `true`.
+    #[serde(default = "default_true", skip_serializing_if = "is_default_true")]
+    pub password_change_allowed: bool,
 }
 
 impl Default for ExperimentalConfig {
@@ -73,6 +88,9 @@ impl Default for ExperimentalConfig {
             access_token_ttl: default_token_ttl(),
             compat_token_ttl: default_token_ttl(),
             password_registration_enabled: default_true(),
+            email_change_allowed: default_true(),
+            displayname_change_allowed: default_true(),
+            password_change_allowed: default_true(),
         }
     }
 }
@@ -82,6 +100,9 @@ impl ExperimentalConfig {
         is_default_token_ttl(&self.access_token_ttl)
             && is_default_token_ttl(&self.compat_token_ttl)
             && is_default_true(&self.password_registration_enabled)
+            && is_default_true(&self.email_change_allowed)
+            && is_default_true(&self.displayname_change_allowed)
+            && is_default_true(&self.password_change_allowed)
     }
 }
 
diff --git a/crates/handlers/src/site_config.rs b/crates/handlers/src/site_config.rs
index 6ae76885..29d00191 100644
--- a/crates/handlers/src/site_config.rs
+++ b/crates/handlers/src/site_config.rs
@@ -17,6 +17,7 @@ use mas_templates::{SiteBranding, SiteFeatures};
 use url::Url;
 
 /// Random site configuration we don't now where to put yet.
+#[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Clone)]
 pub struct SiteConfig {
     pub access_token_ttl: Duration,
@@ -27,6 +28,9 @@ pub struct SiteConfig {
     pub imprint: Option<String>,
     pub password_login_enabled: bool,
     pub password_registration_enabled: bool,
+    pub email_change_allowed: bool,
+    pub displayname_change_allowed: bool,
+    pub password_change_allowed: bool,
 }
 
 impl SiteConfig {
diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs
index d82158cf..ea677a50 100644
--- a/crates/handlers/src/test_utils.rs
+++ b/crates/handlers/src/test_utils.rs
@@ -129,6 +129,9 @@ pub fn test_site_config() -> SiteConfig {
         imprint: None,
         password_login_enabled: true,
         password_registration_enabled: true,
+        email_change_allowed: true,
+        displayname_change_allowed: true,
+        password_change_allowed: true,
     }
 }
 
diff --git a/docs/config.schema.json b/docs/config.schema.json
index 4212cb32..b3e49021 100644
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -1970,6 +1970,18 @@
         "password_registration_enabled": {
           "description": "Whether to enable self-service password registration. Defaults to `true` if password authentication is enabled.",
           "type": "boolean"
+        },
+        "email_change_allowed": {
+          "description": "Whether users are allowed to change their email addresses. Defaults to `true`.",
+          "type": "boolean"
+        },
+        "displayname_change_allowed": {
+          "description": "Whether users are allowed to change their display names. Defaults to `true`.",
+          "type": "boolean"
+        },
+        "password_change_allowed": {
+          "description": "Whether users are allowed to change their passwords. Defaults to `true`.",
+          "type": "boolean"
         }
       }
     }