diff --git a/lib/routes/avatars.js b/lib/routes/avatars.js
index 4e46991..39e140e 100644
--- a/lib/routes/avatars.js
+++ b/lib/routes/avatars.js
@@ -33,6 +33,15 @@ module.exports = function(req, callback) {
   var def = req.url.query.default;
   var helm = req.url.query.hasOwnProperty("helm");
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   // Prevent app from crashing/freezing
   if (size < config.min_size || size > config.max_size) {
     // "Unprocessable Entity", valid request, but semantically erroneous:
diff --git a/lib/routes/capes.js b/lib/routes/capes.js
index f97fd4c..28dd6fb 100644
--- a/lib/routes/capes.js
+++ b/lib/routes/capes.js
@@ -4,10 +4,19 @@ var cache = require("../cache");
 
 // GET cape request
 module.exports = function(req, callback) {
-  var userId = (req.url.pathname.split("/")[2] || "").split(".")[0];
+  var userId = (req.url.path_list[1] || "").split(".")[0];
   var def = req.url.query.default;
   var rid = req.id;
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,
diff --git a/lib/routes/renders.js b/lib/routes/renders.js
index d1932db..04c8048 100644
--- a/lib/routes/renders.js
+++ b/lib/routes/renders.js
@@ -47,6 +47,15 @@ module.exports = function(req, callback) {
   var scale = parseInt(req.url.query.scale) || config.default_scale;
   var helm = req.url.query.hasOwnProperty("helm");
 
+  // check for extra paths
+  if (req.url.path_list.length > 3) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   // validate type
   if (raw_type !== "body" && raw_type !== "head") {
     callback({
diff --git a/lib/routes/skins.js b/lib/routes/skins.js
index 6e917ef..0d056ea 100644
--- a/lib/routes/skins.js
+++ b/lib/routes/skins.js
@@ -40,6 +40,15 @@ module.exports = function(req, callback) {
   var def = req.url.query.default;
   var rid = req.id;
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,