In mesos, one can use the flag --firewall_rules to disable endpoints. Disabled endpoints will return a 403 Forbidden response whenever someone tries to access endpoints.
Libprocess support adding one default delegate for endpoints, which is the default process id which handles endpoints if no process id was given. For example, the default id of the master libprocess process is master which is also set as the delegate for the master system process, so a request to the endpoint http://master-address:5050/state.json will effectively be resolved by http://master-address:5050/master/state.json. But if one disables /state.json because of how delegates work, it can still access /master/state.json.
The only workaround is to disabled both enpoints.