diff --git a/src/main/java/me/braydon/mc/controller/PlayerController.java b/src/main/java/me/braydon/mc/controller/PlayerController.java
index 42daf53..c437a04 100644
--- a/src/main/java/me/braydon/mc/controller/PlayerController.java
+++ b/src/main/java/me/braydon/mc/controller/PlayerController.java
@@ -713,7 +713,7 @@ public final class PlayerController {
      *
      * @param query the query to search for the player by
      * @return the player response
-     * @throws BadRequestException       if the UUID is malformed
+     * @throws BadRequestException       if the UUID is malformed or the username is invalid
      * @throws ResourceNotFoundException if the player is not found
      */
     @GetMapping("/{query}")
diff --git a/src/main/java/me/braydon/mc/service/MojangService.java b/src/main/java/me/braydon/mc/service/MojangService.java
index 545720a..8552156 100644
--- a/src/main/java/me/braydon/mc/service/MojangService.java
+++ b/src/main/java/me/braydon/mc/service/MojangService.java
@@ -711,6 +711,7 @@ import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
 
 /**
  * A service for interacting with the Mojang API.
@@ -726,6 +727,8 @@ public final class MojangService {
     private static final String USERNAME_TO_UUID = API_ENDPOINT + "/users/profiles/minecraft/%s";
     private static final String FETCH_BLOCKED_SERVERS = SESSION_SERVER_ENDPOINT + "/blockedservers";
 
+    private static final Pattern USERNAME_REGEX = Pattern.compile("^[a-zA-Z0-9_]{2,16}$");
+
     private static final int DEFAULT_PART_TEXTURE_SIZE = 128;
     private static final int MAX_PART_TEXTURE_SIZE = 512;
 
@@ -836,7 +839,7 @@ public final class MojangService {
      * @param query       the query to search for the player by
      * @param bypassCache should the cache be bypassed?
      * @return the player
-     * @throws BadRequestException       if the UUID is malformed
+     * @throws BadRequestException       if the UUID is malformed or the username is invalid
      * @throws ResourceNotFoundException if the player is not found
      */
     @NonNull
@@ -853,6 +856,9 @@ public final class MojangService {
                 throw new BadRequestException("Malformed UUID provided: %s".formatted(query));
             }
         } else { // The query is a username, request from Mojang
+            if (!USERNAME_REGEX.matcher(query).matches()) { // Ensure the username is valid
+                throw new BadRequestException("Invalid username provided: %s".formatted(query));
+            }
             uuid = usernameToUUID(query);
             log.info("Found UUID for username {}: {}", query, uuid);
         }