diff --git a/sample.env b/sample.env
index 750c1f2..54e4023 100644
--- a/sample.env
+++ b/sample.env
@@ -10,4 +10,6 @@ APP_PORT=3000
 CAPTCHA_SOURCE_URL=https://example.com
 DATA_DIR=/opt/captcha_aggregator
 ADMIN_TOKEN=GENERATE_A_STRONG_TOKEN_HERE
-SECRET=GENERATE_A_STRONG_SECRET_HERE
\ No newline at end of file
+SECRET=GENERATE_A_STRONG_SECRET_HERE
+#Allowed symbols. Must be a regex
+ALPHABET="[123456789ABCDEFGHIJKLMNPQRSTUVWXZY]"
\ No newline at end of file
diff --git a/src/config.js b/src/config.js
index a33004b..f96e301 100644
--- a/src/config.js
+++ b/src/config.js
@@ -16,7 +16,8 @@ const config = {
     captcha_source_url: process.env.CAPTCHA_SOURCE_URL,
     data_dir: process.env.DATA_DIR,
     admin_token: process.env.ADMIN_TOKEN,
-    secret: process.env.SECRET
+    secret: process.env.SECRET,
+    alphabet: process.env.ALPHABET
 }
 
 export default config;
\ No newline at end of file
diff --git a/src/controllers/captcha.js b/src/controllers/captcha.js
index 2e5e3c7..0659bd5 100644
--- a/src/controllers/captcha.js
+++ b/src/controllers/captcha.js
@@ -1,11 +1,19 @@
 import CaptchaService from "../services/captcha.js";
 import jwt from 'jsonwebtoken';
+import config from '../config.js';
 
 class CaptchaController {
     async submit(req, res) {
         const {image, solution} = req.body;
         if (!image) return res.status(400).send({"message":"You must send image blob"});
         if (!solution || solution.length != 6) return res.status(400).send({"message":"You must send a valid solution"});
+        for (let i = 0; i < solution.length; i ++) {
+            let char = solution[i];
+            if (!char.match(config.alphabet)) {
+                console.log("Illegal symbol: " + char);
+                return res.status(400).send({"message": `Illegal symbol ${char} at position ${i + 1}`});
+            }
+        }
         try {
             await CaptchaService.new(image, solution, jwt.decode(req.token).id);
         } catch (e) {