diff --git a/service/api/post-session.go b/service/api/post-session.go
index dd67174..fabff85 100644
--- a/service/api/post-session.go
+++ b/service/api/post-session.go
@@ -3,6 +3,7 @@ package api
 import (
 	"encoding/json"
 	"net/http"
+	"regexp"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/notherealmarco/WASAPhoto/service/api/helpers"
@@ -29,7 +30,21 @@ func (rt *_router) PostSession(w http.ResponseWriter, r *http.Request, ps httpro
 	if err == nil { // test if user exists
 		uid, err = rt.db.GetUserID(request.Name)
 	}
+
 	if db_errors.EmptySet(err) { // user does not exist
+
+		// before creating the user, check if the name is valid
+		stat, regex_err := regexp.Match(`^[a-zA-Z0-9_]{3,16}$`, []byte(request.Name))
+		if regex_err != nil {
+			helpers.SendInternalError(err, "Error while matching username regex", w, rt.baseLogger)
+			return
+		}
+		if !stat {
+			// username didn't match the regex, so it's invalid, let's send a bad request error
+			helpers.SendBadRequest(w, "Username must be between 3 and 16 characters long and can only contain letters, numbers and underscores", rt.baseLogger)
+			return
+		}
+
 		uid, err = rt.db.CreateUser(request.Name)
 	}
 	if err != nil { // handle any other error
diff --git a/service/api/put-updateusername.go b/service/api/put-updateusername.go
index 888c404..4e8fc19 100644
--- a/service/api/put-updateusername.go
+++ b/service/api/put-updateusername.go
@@ -26,7 +26,7 @@ func (rt *_router) UpdateUsername(w http.ResponseWriter, r *http.Request, ps htt
 	stat, err := regexp.Match(`^[a-zA-Z0-9_]{3,16}$`, []byte(req.Name))
 
 	if err != nil {
-		helpers.SendInternalError(err, "Error while matching username", w, rt.baseLogger)
+		helpers.SendInternalError(err, "Error while matching username regex", w, rt.baseLogger)
 		return
 	}