diff --git a/app/Http/Controllers/TextureController.php b/app/Http/Controllers/TextureController.php
index 9b2c17c2..c1fcec62 100644
--- a/app/Http/Controllers/TextureController.php
+++ b/app/Http/Controllers/TextureController.php
@@ -132,8 +132,12 @@ class TextureController extends Controller
         return $this->avatar($minecraft, $request, $texture);
     }
 
-    protected function avatar(Minecraft $minecraft, Request $request, Texture $texture = null)
+    protected function avatar(Minecraft $minecraft, Request $request, ?Texture $texture)
     {
+        if (!empty($texture) && $texture->type !== 'steve' && $texture->type !== 'alex') {
+            return abort(422);
+        }
+
         $size = (int) $request->query('size', 100);
         $mode = $request->has('3d') ? '3d' : '2d';
         $usePNG = $request->has('png') || !(imagetypes() & IMG_WEBP);
diff --git a/tests/HttpTest/ControllersTest/TextureControllerTest.php b/tests/HttpTest/ControllersTest/TextureControllerTest.php
index 10ded3fd..a5574a54 100644
--- a/tests/HttpTest/ControllersTest/TextureControllerTest.php
+++ b/tests/HttpTest/ControllersTest/TextureControllerTest.php
@@ -224,6 +224,9 @@ class TextureControllerTest extends TestCase
     {
         $disk = Storage::fake('textures');
 
+        $cape = Texture::factory()->cape()->create();
+        $this->get(route('avatar.texture', ['tid' => $cape->tid]))->assertStatus(422);
+
         $this->get(route('avatar.texture', ['tid' => 0]))
             ->assertSuccessful()
             ->assertHeader('Content-Type', 'image/webp');