diff --git a/mkt/api/forms.py b/mkt/api/forms.py
index 89c764c9da8..2625daad70b 100644
--- a/mkt/api/forms.py
+++ b/mkt/api/forms.py
@@ -117,6 +117,10 @@ def clean_upload(self):
         return super(NewPackagedForm, self).clean_upload()
 
 
+class PreviewArgsForm(happyforms.Form):
+    app = forms.IntegerField()
+
+
 class PreviewJSONForm(happyforms.Form):
     file = JSONField(required=True)
     position = forms.IntegerField(required=True)
diff --git a/mkt/api/resources.py b/mkt/api/resources.py
index 2a3e571250a..4ce43313122 100644
--- a/mkt/api/resources.py
+++ b/mkt/api/resources.py
@@ -25,7 +25,8 @@
                                     MarketplaceAuthentication)
 from mkt.api.base import MarketplaceResource
 from mkt.api.forms import (CategoryForm, DeviceTypeForm, NewPackagedForm,
-                           PreviewJSONForm, StatusForm, UploadForm)
+                           PreviewArgsForm, PreviewJSONForm, StatusForm,
+                           UploadForm)
 from mkt.developers import tasks
 from mkt.developers.forms import NewManifestForm, PreviewForm
 from mkt.submit.forms import AppDetailsBasicForm
@@ -301,8 +302,13 @@ class Meta:
         filtering = {'addon': ALL_WITH_RELATIONS}
 
     def obj_create(self, bundle, request, **kwargs):
+        # Ensure that people don't pass strings through.
+        args = PreviewArgsForm(request.GET)
+        if not args.is_valid():
+            raise self.form_errors(args)
+
         addon = self.get_object_or_404(Addon,
-                                       pk=request.GET.get('app'),
+                                       pk=args.cleaned_data['app'],
                                        type=amo.ADDON_WEBAPP)
         if not AppOwnerAuthorization().is_authorized(request, object=addon):
             raise ImmediateHttpResponse(response=http.HttpForbidden())
diff --git a/mkt/api/tests/test_handlers.py b/mkt/api/tests/test_handlers.py
index b1f835d8741..250d648a20f 100644
--- a/mkt/api/tests/test_handlers.py
+++ b/mkt/api/tests/test_handlers.py
@@ -672,6 +672,13 @@ def test_post_preview(self):
         eq_(previews.count(), 1)
         eq_(previews.all()[0].position, 1)
 
+    def test_wrong_url(self):
+        url = list(self.list_url)
+        url[-1]['app'] = 'booyah'
+        res = self.client.post(url, data=json.dumps(self.good))
+        eq_(res.status_code, 400)
+        eq_(self.get_error(res)['app'], [u'Enter a whole number.'])
+
     def test_not_mine(self):
         self.app.authors.clear()
         res = self.client.post(self.list_url, data=json.dumps(self.good))