diff --git a/apps/functions/dns-redirecting/index.ts b/apps/functions/dns-redirecting/index.ts
index 00aa7c2690..70210a2c64 100644
--- a/apps/functions/dns-redirecting/index.ts
+++ b/apps/functions/dns-redirecting/index.ts
@@ -1,5 +1,10 @@
 import * as functions from 'firebase-functions';
 
+const isValidDomain = (domain: string): boolean => {
+  // Only allow alphanumeric characters, dots, and hyphens
+  return /^[a-zA-Z0-9.-]+$/.test(domain);
+};
+
 export const dnsRedirecting = functions.https.onRequest(
   {
     cors: true,
@@ -30,6 +35,11 @@ export const dnsRedirecting = functions.https.onRequest(
       }
     }
 
+    if (!isValidDomain(hostname)) {
+      response.status(400).send('Invalid Hostname');
+      return;
+    }
+
     if (hostname === 'code-of-conduct.angular.io') {
       response.redirect(redirectType, 'https://code-of-conduct.angular.dev');
     } else if (hostname === 'update.angular.dev') {