diff --git a/api/controller/auth.js b/api/controller/auth.js
index fcde0e40..bd9b96fe 100644
--- a/api/controller/auth.js
+++ b/api/controller/auth.js
@@ -2,7 +2,8 @@ var jwt = require('jwt-simple'),
 	users = require('./users.js'),
 	mongo = require('mongodb'),
 	otplib = require('otplib'),
-	common = require('../../dashboard/helper/common');
+	common = require('../../dashboard/helper/common'),
+	regexValidate = require('../../dashboard/helper/regexValidate');
 
 var security;
 var secret;
@@ -249,6 +250,16 @@ exports.verify2FA = function(req, res) {
 exports.signup = function(req, res) {
 
 	var user = JSON.parse(req.body.user);
+
+	//validate username - only alphanumeric characters and spaces allowed
+	if (user.name && !regexValidate("user").test(user.name)) {
+		res.status(401).send({
+			'error': 'Invalid Username',
+			'code': 34
+		});
+		return;
+	}
+
 	if(user.beforeSignup) {
 		validateUsername(user.name, function(user) {
 			if(user == false) {
diff --git a/api/controller/users.js b/api/controller/users.js
index e720755a..786f9c55 100644
--- a/api/controller/users.js
+++ b/api/controller/users.js
@@ -2,7 +2,8 @@
 
 var mongo = require('mongodb'),
 	journal = require('./journal'),
-	otplib = require('otplib');
+	otplib = require('otplib'),
+	regexValidate = require('../../dashboard/helper/regexValidate');
 
 var db;
 
@@ -677,6 +678,15 @@ exports.addUser = function(req, res) {
 	//parse user details
 	var user = JSON.parse(req.body.user);
 
+	//validate username - only alphanumeric characters and spaces allowed
+	if (user.name && !regexValidate("user").test(user.name)) {
+		res.status(401).send({
+			'error': 'Invalid Username',
+			'code': 34
+		});
+		return;
+	}
+
 	//add timestamp & language
 	user.created_time = +new Date();
 	user.timestamp = +new Date();
@@ -841,6 +851,15 @@ exports.updateUser = function(req, res) {
 	var user = JSON.parse(req.body.user);
 	delete user.role; // Disable role change
 
+	//validate username - only alphanumeric characters and spaces allowed
+	if (user.name && !regexValidate("user").test(user.name)) {
+		res.status(401).send({
+			'error': 'Invalid Username',
+			'code': 34
+		});
+		return;
+	}
+
 	//do not update name if already exist
 	if (typeof user.name !== 'undefined') {
 		//check for unique user name validation