diff --git a/go.mod b/go.mod
index 3a51bf4..5b39e79 100644
--- a/go.mod
+++ b/go.mod
@@ -27,4 +27,6 @@ require (
 	golang.org/x/tools v0.31.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apimachinery v0.33.3 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 )
diff --git a/go.sum b/go.sum
index 7c87f90..2b401c4 100644
--- a/go.sum
+++ b/go.sum
@@ -51,5 +51,9 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
+k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index 9d5d65c..4075c15 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -29,6 +29,7 @@ import (
 
 	"github.com/go-logr/logr"
 	lru "github.com/hashicorp/golang-lru/v2"
+	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/klog/v2"
 )
 
@@ -180,9 +181,20 @@ func (s *Server) prefillerProxyHandler(hostPort string) (http.Handler, error) {
 		s.logger.Error(err, "failed to parse URL", "hostPort", hostPort)
 		return nil, err
 	}
+	if err := validateTarget(u.Hostname()); err != nil {
+		s.logger.Error(err, "invalid target", "hostPort", hostPort)
+		return nil, err
+	}
 
 	proxy = httputil.NewSingleHostReverseProxy(u)
 	s.prefillerProxies.Add(hostPort, proxy)
 
 	return proxy, nil
 }
+
+func validateTarget(target string) error {
+	if net.ParseIP(target) != nil || len(validation.IsDNS1123Subdomain(target)) == 0 {
+		return nil
+	}
+	return errors.New(target + " is not a valid prefill target")
+}