diff --git a/server/lib/api/address.js b/server/lib/api/address.js
index 722adb2..719a8cc 100644
--- a/server/lib/api/address.js
+++ b/server/lib/api/address.js
@@ -1,6 +1,7 @@
 const logger  = require('../logger');
 const request = require('request');
 const config  = require('../../config');
+const util    = require('../util');
 
 const API_URL = `http://${config.bcoin_http}:${config.bcoin['http-port']}`;
 const TTL = config.api.request_ttl;
@@ -8,6 +9,13 @@ const TTL = config.api.request_ttl;
 module.exports = function AddressAPI(router) {
   router.get('/addr/:addr', (req, res) => {
     const addr = req.params.addr || '';
+
+    if (!util.isBitcoinAddress(addr)) {
+      return res.status(400).send({
+        error: 'Invalid bitcoin address',
+      });
+    }
+
     logger.log('debug',
       'Warning: Requesting data from Bcoin by address, may take some time');
     // Get Bcoin data
diff --git a/server/lib/api/block.js b/server/lib/api/block.js
index 482ea0e..ad14eb5 100644
--- a/server/lib/api/block.js
+++ b/server/lib/api/block.js
@@ -1,11 +1,20 @@
 const logger = require('../logger');
-const db = require('../db');
+const db     = require('../db');
+const util   = require('../util');
 
 module.exports = function BlockAPI(router) {
   router.get('/block/:blockHash', (req, res) => {
+    const blockHash = req.params.blockHash;
+
+    if (!util.isBlockHash(blockHash)) {
+      return res.status(400).send({
+        error: 'Invalid bitcoin address',
+      });
+    }
+
     // Pass Mongo params, fields and limit to db api.
     db.blocks.getBlock(
-      { hash: req.params.blockHash },
+      { hash: blockHash },
       { rawBlock: 0 },
       1,
       (err, block) => {
@@ -73,6 +82,13 @@ module.exports = function BlockAPI(router) {
 
   router.get('/rawblock/:blockHash', (req, res) => {
     const blockHash = req.params.blockHash || '';
+
+    if (!util.isBlockHash(blockHash)) {
+      return res.status(400).send({
+        error: 'Invalid bitcoin address',
+      });
+    }
+
     // Pass Mongo params, fields and limit to db api.
     db.blocks.getBlock(
       { hash: blockHash },
diff --git a/server/lib/api/message.js b/server/lib/api/message.js
index 42ba63e..27c0703 100644
--- a/server/lib/api/message.js
+++ b/server/lib/api/message.js
@@ -1,10 +1,17 @@
 const Message = require('bitcore-message');
-
+const util    = require('../util');
 // Copied from previous source
 function verifyMessage(req, res) {
   const address   = req.body.address || req.query.address;
   const signature = req.body.signature || req.query.signature;
   const message   = req.body.message || req.query.message;
+
+  if (!util.isBitcoinAddress(address)) {
+    return res.status(400).send({
+      error: 'Invalid bitcoin address',
+    });
+  }
+
   if (!address || !signature || !message) {
     res.json({
       message: 'Missing parameters (expected "address", "signature" and "message")',