diff --git a/website/src/routes/api/coin/create/+server.ts b/website/src/routes/api/coin/create/+server.ts
index e8ce27c..00172b2 100644
--- a/website/src/routes/api/coin/create/+server.ts
+++ b/website/src/routes/api/coin/create/+server.ts
@@ -16,6 +16,15 @@ async function validateInputs(name: string, symbol: string, iconFile: File | nul
         throw error(400, 'Symbol must be between 2 and 10 characters');
     }
 
+    const alphanumericRegex = /^[a-zA-Z0-9]+$/;
+    if (!alphanumericRegex.test(name)) {
+        throw error(400, 'Coin name must contain only letters and numbers');
+    }
+
+    if (!alphanumericRegex.test(symbol)) {
+        throw error(400, 'Coin symbol must contain only letters and numbers');
+    }
+
     const nameAppropriate = await isNameAppropriate(name);
     if (!nameAppropriate) {
         throw error(400, 'Coin name contains inappropriate content');
diff --git a/website/src/routes/api/settings/+server.ts b/website/src/routes/api/settings/+server.ts
index c28e4ed..07d771b 100644
--- a/website/src/routes/api/settings/+server.ts
+++ b/website/src/routes/api/settings/+server.ts
@@ -24,6 +24,13 @@ async function validateInputs(name: string, bio: string, username: string, avata
         throw error(400, 'Username must be between 3 and 30 characters');
     }
 
+    if (username) {
+        const alphanumericRegex = /^[a-zA-Z0-9]+$/;
+        if (!alphanumericRegex.test(username)) {
+            throw error(400, 'Username must contain only letters and numbers');
+        }
+    }
+
     if (username && !(await isNameAppropriate(username))) {
         throw error(400, 'Username contains inappropriate content');
     }