diff --git a/app/controllers/web_key_directory_controller.rb b/app/controllers/web_key_directory_controller.rb
index cc2e439..8e34bad 100644
--- a/app/controllers/web_key_directory_controller.rb
+++ b/app/controllers/web_key_directory_controller.rb
@@ -3,8 +3,15 @@ class WebKeyDirectoryController < WellKnownController
 
   # /.well-known/openpgpkey/hu/:hashed_username(.txt)?l=username
   def show
-    username = params[:l] || ""
-    @user = User.find_by(cn: username.downcase)
+    if params[:l].blank?
+      # TODO store hashed username in db if existing implementations trigger
+      # this a lot
+      msg = "WKD request with \"l\" param omitted for hu: #{params[:hashed_username]})"
+      Sentry.capture_message(msg) if Setting.sentry_enabled?
+      http_status :bad_request and return
+    end
+
+    @user = User.find_by(cn: params[:l].downcase)
 
     if @user.nil? ||
        @user.pgp_pubkey.blank? ||
diff --git a/spec/requests/web_key_directory_spec.rb b/spec/requests/web_key_directory_spec.rb
index aa3fb63..ad524db 100644
--- a/spec/requests/web_key_directory_spec.rb
+++ b/spec/requests/web_key_directory_spec.rb
@@ -10,9 +10,9 @@ RSpec.describe "OpenPGP Web Key Directory", type: :request do
   end
 
   describe "omitted 'l' param" do
-    it "returns a 404 status" do
+    it "returns a 400 status" do
       get "/.well-known/openpgpkey/hu/fmb8gw3n4zdj4xpwaziki4mwcxr1368i"
-      expect(response).to have_http_status(:not_found)
+      expect(response).to have_http_status(:bad_request)
     end
   end