diff --git a/src/file/server.ts b/src/file/server.ts
index 1831ef23b2..21447b596b 100644
--- a/src/file/server.ts
+++ b/src/file/server.ts
@@ -90,28 +90,40 @@ function send(data: Buffer, type: string, req: express.Request, res: express.Res
  * Routing
  */
 
-app.get('/:id', async (req, res): Promise<void> => {
+app.get('/:id', async (req, res) => {
+	// Validate id
+	if (!mongodb.ObjectID.isValid(req.params.id)) {
+		res.status(400).send('incorrect id');
+		return;
+	}
+
 	const file = await File.findOne({_id: new mongodb.ObjectID(req.params.id)});
 
 	if (file == null) {
 		res.status(404).sendFile(__dirname + '/resources/dummy.png');
 		return;
 	} else if (file.data == null) {
-		res.status(400);
+		res.sendStatus(400);
 		return;
 	}
 
 	send(file.data.buffer, file.type, req, res);
 });
 
-app.get('/:id/:name', async (req, res): Promise<void> => {
+app.get('/:id/:name', async (req, res) => {
+	// Validate id
+	if (!mongodb.ObjectID.isValid(req.params.id)) {
+		res.status(400).send('incorrect id');
+		return;
+	}
+
 	const file = await File.findOne({_id: new mongodb.ObjectID(req.params.id)});
 
 	if (file == null) {
 		res.status(404).sendFile(__dirname + '/resources/dummy.png');
 		return;
 	} else if (file.data == null) {
-		res.status(400);
+		res.sendStatus(400);
 		return;
 	}