Is there a way to prevent boot loader update over OTA?

Hello,

We use ESP8266 and modified rboot which validates SHA-1 sum of the firmware to prevent attacker to do OTA with his modified firmware. As it is possible to also update bootloader via OTA (https://forum.mongoose-os.com/discussion/comment/5188/#Comment_5188), this security addition has no effect. Is there a wat to compile firmware which would never allow updating (or overwriting) bootloader via OTA?

Also which parts from the fw.zip are subject of OTA? Are they all from mainfest.json with src except those with "update": false?

Thanks in advance