diff --git a/packages/middleware/lib/log-account-handler.ts b/packages/middleware/lib/log-account-handler.ts
index eef113bbbaf5b04d6cd8323213208defdb66230e..bcdf2490e3babbaaeb51b6b60eb070b3e0b96b0e 100644
--- a/packages/middleware/lib/log-account-handler.ts
+++ b/packages/middleware/lib/log-account-handler.ts
@@ -11,6 +11,16 @@ import {
 import { getClientIp } from './common-utils';
 import { checkCsrfHeader } from '@smart-signer/lib/csrf-protection';
 
+/**
+ * Validates that input is safe to log (prevents log injection).
+ * Only allows lowercase letters, numbers, dots, and hyphens.
+ */
+function isSafeForLogging(input: string): boolean {
+    if (typeof input !== 'string') return false;
+    if (input.length === 0 || input.length > 16) return false;
+    return /^[a-z0-9.-]+$/.test(input);
+}
+
 export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse) {
     if (req.method !== 'POST') {
         return res.status(405).json({ error: 'Method not allowed' });
@@ -51,6 +61,11 @@ export async function handleLogAccount(req: NextApiRequest, res: NextApiResponse
         return;
     }
 
+    // Validate username format to prevent log injection
+    if (!isSafeForLogging(username)) {
+        return res.status(400).json({ error: 'Invalid username format' });
+    }
+
     // Parse authProof transaction to get loginChallenge and loginType
     const parsedData = await parseAuthProofTransaction(authProof);
     if (!parsedData) {