diff --git a/browser-interface/packages/shared/comms/adapters/WebSocketAdapter.ts b/browser-interface/packages/shared/comms/adapters/WebSocketAdapter.ts
index 68c8cada01..33fe5410b3 100644
--- a/browser-interface/packages/shared/comms/adapters/WebSocketAdapter.ts
+++ b/browser-interface/packages/shared/comms/adapters/WebSocketAdapter.ts
@@ -87,6 +87,10 @@ export class WebSocketAdapter implements MinimumCommunicationsAdapter {
             return this.handleWelcomeMessage(message.welcomeMessage, ws)
           }
           case 'challengeMessage': {
+            if (!message.challengeMessage.challengeToSign.match(/^dcl-[^:]*$/)) {
+              throw new Error('Protocol error: invalid challenge')
+            }
+
             const authChainJson = JSON.stringify(
               Authenticator.signPayload(this.identity, message.challengeMessage.challengeToSign)
             )
diff --git a/browser-interface/packages/shared/realm/connections/ArchipelagoConnection.ts b/browser-interface/packages/shared/realm/connections/ArchipelagoConnection.ts
index ad6ca443af..1adb5b0de5 100644
--- a/browser-interface/packages/shared/realm/connections/ArchipelagoConnection.ts
+++ b/browser-interface/packages/shared/realm/connections/ArchipelagoConnection.ts
@@ -74,6 +74,10 @@ export async function createArchipelagoConnection(
 
       switch (message.$case) {
         case 'challengeResponse': {
+          if (!message.challengeResponse.challengeToSign.match(/^dcl-[^:]*$/)) {
+            throw new Error('Protocol error: invalid challenge')
+          }
+          
           const authChainJson = JSON.stringify(
             Authenticator.signPayload(identity, message.challengeResponse.challengeToSign)
           )