diff --git a/src/index.ts b/src/index.ts
index 0191bc2..39e433d 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -8,6 +8,12 @@ import {
 
 const PORT = Number(process.env.PORT) || 4040;
 
+function isValidRoomName(name: unknown): name is string {
+  if (typeof name !== "string") return false;
+  if (name.length === 0 || name.length > 64) return false;
+  return /^[a-zA-Z0-9_-]+$/.test(name);
+}
+
 Bun.serve({
   port: PORT,
   fetch(req, server) {
@@ -40,6 +46,12 @@ Bun.serve({
 
       switch (msg.type) {
         case "join": {
+          if (!isValidRoomName(msg.room)) {
+            ws.send(
+              JSON.stringify({ type: "error", message: "invalid room name" }),
+            );
+            break;
+          }
           const session = getOrCreateSession(msg.room);
           ws.data.room = msg.room;
           session.join(client);