diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index fb61705937f09cd74d67686e0d8de7fd151139dd..0ca111100a1211e636c1e17cda6a818486223e0b 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -10,7 +10,8 @@ fs = require('fs'),
 connect = require('connect'),
 config = require('../configuration.js'),
 und = require('underscore'),
-util = require('util');
+util = require('util'),
+httputils = require('../httputils.js');
 
 // all templated content, redirects, and renames are handled here.
 // anything that is not an api, and not static
@@ -154,18 +155,19 @@ exports.setup = function(app) {
     renderCachableView(req, res, 'add_email_address.ejs', {title: 'Verify Email Address', fullpage: false});
   });
 
-  /**
-   *
-   * XXX benadida or lloyd, I tried to use straight up regexp to do this, but.
-   * is there a better way to do this?
-   */
-  function QUnit(req, res) {
-    res.render('test.ejs', {title: 'BrowserID QUnit Test', layout: false});
+  // serve up testing templates.  but NOT in staging or production.  see GH-1044
+  if ([ 'https://browserid.org', 'https://diresworb.org' ].indexOf(config.get('public_url')) === -1) {
+    // serve test.ejs to /test or /test/ or /test/index.html
+    app.get(/^\/test\/(?:index.html)?$/, function (req, res) {
+      res.render('test.ejs', {title: 'BrowserID QUnit Test', layout: false});
+    });
+  } else {
+    // this is stage or production, explicitly disable all resources under /test
+    app.get(/^\/test/, function(req, res) {
+      httputils.notFound("Cannot " + req.method + " " + req.url);
+    });
   }
 
-  app.get("/test", QUnit);
-  app.get("/test/index.html", QUnit);
-
   // REDIRECTS
   REDIRECTS = {
     "/manage": "/",