diff --git a/www/common/common-hash.js b/www/common/common-hash.js
index 0f5341d9b..1bdd3b702 100644
--- a/www/common/common-hash.js
+++ b/www/common/common-hash.js
@@ -500,5 +500,27 @@ Version 1
         return name;
     };
 
+    Hash.isValidHref = function (href) {
+        // Non-empty href?
+        if (!href) { return; }
+        var parsed = Hash.parsePadUrl(href);
+        // Can be parsed?
+        if (!parsed) { return; }
+        // Link to a CryptPad app?
+        if (!parsed.type) { return; }
+        // Valid hash?
+        if (parsed.hash) {
+            if (!parsed.hashData) { return; }
+            // Version should be a number
+            if (typeof(parsed.hashData.version) === "undefined") { return; }
+            // pads and files should have a base64 (or hex) key
+            if (parsed.hashData.type === 'pad' || parsed.hashData.type === 'file') {
+                if (!parsed.hashData.key) { return; }
+                if (!/^[a-zA-Z0-9+-/]+$/.test(parsed.hashData.key)) { return; }
+            }
+        }
+        return true;
+    };
+
     return Hash;
 });
diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js
index 3c97a4735..085d928a2 100644
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@@ -134,6 +134,11 @@ define([
                 });
             }));
         }).nThen(function (waitFor) {
+            if (!Utils.Hash.isValidHref(window.location.href)) {
+                waitFor.abort();
+                return void sframeChan.event('EV_LOADING_ERROR', 'INVALID_HASH');
+            }
+
             $('#sbox-iframe').focus();
 
             sframeChan.on('EV_CACHE_PUT', function (x) {
diff --git a/www/common/sframe-common.js b/www/common/sframe-common.js
index 89c0feab7..b89cad5bb 100644
--- a/www/common/sframe-common.js
+++ b/www/common/sframe-common.js
@@ -557,6 +557,19 @@ define([
                 UIElements.displayStorePadPopup(funcs, data);
             });
 
+            ctx.sframeChan.on('EV_LOADING_ERROR', function (err) {
+                var msg = err;
+                if (err === 'DELETED') {
+                    msg = Messages.deletedError + '<br>' + Messages.errorRedirectToHome;
+                }
+                if (err === "INVALID_HASH") {
+                    msg = Messages.invalidHashError; // XXX
+                }
+                UI.errorLoadingScreen(msg, false, function () {
+                    funcs.gotoURL('/drive/');
+                });
+            });
+
             ctx.metadataMgr.onReady(waitFor());
 
             funcs.addShortcuts();
@@ -591,15 +604,6 @@ define([
                 window.CP_DEV_MODE = ctx.metadataMgr.getPrivateData().devMode;
             } catch (e) {}
 
-            ctx.sframeChan.on('EV_LOADING_ERROR', function (err) {
-                if (err === 'DELETED') {
-                    var msg = Messages.deletedError + '<br>' + Messages.errorRedirectToHome;
-                    UI.errorLoadingScreen(msg, false, function () {
-                        funcs.gotoURL('/drive/');
-                    });
-                }
-            });
-
             ctx.sframeChan.on('EV_LOGOUT', function () {
                 $(window).on('keyup', function (e) {
                     if (e.keyCode === 27) {