diff --git a/src/endpoints/files/file_server.ts b/src/endpoints/files/file_server.ts
index 9cf3b1a..12ddea3 100644
--- a/src/endpoints/files/file_server.ts
+++ b/src/endpoints/files/file_server.ts
@@ -1,16 +1,24 @@
 import { ServerRoute } from "@hapi/hapi";
 import { log } from "$/main";
 import path from "path";
+import Joi from "joi";
+import { channelSchema } from "$/schemas/general";
 
 const route: ServerRoute = {
 	method: `GET`, path: `/{channel}/overlay/{theme}/{path*}`,
 	options: {
+		validate: {
+			params: Joi.object({
+				channel: channelSchema,
+				theme: Joi.string().pattern(/^[a-z0-9\-]+$/),
+				path: Joi.string().optional(),
+			}),
+		},
 		files: {
 			relativeTo: path.join(process.cwd(), `site`),
 		},
 	},
 	handler(request, h) {
-		// const theme = request.query.theme;
 		const path = request.params.path;
 		const theme = request.params.theme.replace(/\-/g, `/`);
 
diff --git a/src/endpoints/new_game.ts b/src/endpoints/new_game.ts
index c24c1a4..ee13800 100644
--- a/src/endpoints/new_game.ts
+++ b/src/endpoints/new_game.ts
@@ -1,4 +1,5 @@
 import { anonymizePhrase, convertToKey, spacePhrase } from "$/utils/game";
+import { channelSchema } from "$/schemas/general";
 import { config, database } from "$/main";
 import { ServerRoute } from "@hapi/hapi";
 import { readFileSync } from "fs";
@@ -10,7 +11,7 @@ const route: ServerRoute = {
 	options: {
 		validate: {
 			params: Joi.object({
-				channel: Joi.string().alphanum(),
+				channel: channelSchema,
 			}),
 			query: Joi.object({
 				word_list: Joi.string(),
diff --git a/src/endpoints/setup_channel.ts b/src/endpoints/setup_channel.ts
index cc47d51..6482e0b 100644
--- a/src/endpoints/setup_channel.ts
+++ b/src/endpoints/setup_channel.ts
@@ -1,5 +1,6 @@
-import { database } from "$/main";
+import { channelSchema } from "$/schemas/general";
 import { ServerRoute } from "@hapi/hapi";
+import { database } from "$/main";
 import Joi from "joi";
 
 const route: ServerRoute = {
@@ -7,7 +8,7 @@ const route: ServerRoute = {
 	options: {
 		validate: {
 			payload: Joi.object({
-				channel: Joi.string().alphanum(),
+				channel: channelSchema,
 			}),
 		},
 	},
diff --git a/src/endpoints/view_game_state.ts b/src/endpoints/view_game_state.ts
index 1a68a47..3236e72 100644
--- a/src/endpoints/view_game_state.ts
+++ b/src/endpoints/view_game_state.ts
@@ -1,3 +1,4 @@
+import { channelSchema } from "$/schemas/general";
 import { config, database } from "$/main";
 import { ServerRoute } from "@hapi/hapi";
 import Joi from "joi";
@@ -7,7 +8,7 @@ const route: ServerRoute = {
 	options: {
 		validate: {
 			params: Joi.object({
-				channel: Joi.string().alphanum(),
+				channel: channelSchema,
 			}),
 		},
 	},
diff --git a/src/schemas/general.ts b/src/schemas/general.ts
new file mode 100644
index 0000000..0d7a599
--- /dev/null
+++ b/src/schemas/general.ts
@@ -0,0 +1,3 @@
+import Joi from "joi";
+
+export const channelSchema = Joi.string().pattern(/^[a-z0-9_\-]$/i);
\ No newline at end of file