diff --git a/services/blob/src/http/handlers/blob.rs b/services/blob/src/http/handlers/blob.rs
--- a/services/blob/src/http/handlers/blob.rs
+++ b/services/blob/src/http/handlers/blob.rs
@@ -4,6 +4,7 @@
 use crate::database::{BlobItem, ReverseIndexItem};
 use crate::http::context::handle_s3_error;
 use crate::tools::MemOps;
+use crate::validate_identifier;
 
 use super::{handle_db_error, AppContext};
 use actix_web::error::{
@@ -28,6 +29,8 @@
 ) -> actix_web::Result<HttpResponse> {
   info!("Get blob request");
   let holder = params.into_inner();
+  validate_identifier!(holder);
+
   let s3_path = ctx.find_s3_path_by_holder(&holder).await?;
   tracing::Span::current().record("s3_path", s3_path.to_full_path());
 
@@ -87,6 +90,8 @@
 ) -> actix_web::Result<HttpResponse> {
   info!("Assign holder request");
   let AssignHolderPayload { holder, blob_hash } = payload.into_inner();
+  validate_identifier!(holder);
+  validate_identifier!(blob_hash);
 
   if ctx
     .db
@@ -137,6 +142,8 @@
 
   let blob_hash = String::from_utf8(buf)
     .map_err(|_| ErrorInternalServerError("Internal error"))?;
+
+  validate_identifier!(blob_hash);
   return Ok(blob_hash);
 }
 
@@ -243,6 +250,8 @@
 ) -> actix_web::Result<HttpResponse> {
   info!("Delete blob request");
   let holder = params.into_inner();
+  validate_identifier!(holder);
+
   let reverse_index_item = ctx
     .db
     .find_reverse_index_by_holder(&holder)
diff --git a/services/blob/src/http/mod.rs b/services/blob/src/http/mod.rs
--- a/services/blob/src/http/mod.rs
+++ b/services/blob/src/http/mod.rs
@@ -9,6 +9,7 @@
 
 mod context;
 use context::AppContext;
+mod utils;
 
 mod handlers {
   pub(super) mod blob;
diff --git a/services/blob/src/http/utils.rs b/services/blob/src/http/utils.rs
new file mode 100644
--- /dev/null
+++ b/services/blob/src/http/utils.rs
@@ -0,0 +1,16 @@
+/// Validates given identifier variable and returns HTTP 400
+/// in case of failure
+#[macro_export]
+macro_rules! validate_identifier {
+  ($input_variable:expr) => {{
+    if !comm_services_lib::tools::is_valid_identifier(&$input_variable) {
+      let variable_name = stringify!($input_variable);
+      tracing::warn!(
+        "{} is not a valid identifier: {}",
+        variable_name,
+        $input_variable
+      );
+      return Err(ErrorBadRequest("Bad request"));
+    }
+  }};
+}