diff --git a/src/app/avatar/route.js b/src/app/avatar/route.js
index 4f5954a..42b87a9 100644
--- a/src/app/avatar/route.js
+++ b/src/app/avatar/route.js
@@ -3,7 +3,8 @@ import { NextResponse } from 'next/server';
 export async function GET(request) {
   const { searchParams } = new URL(request.url);
   const query = searchParams.has('icon_url') ? searchParams.get('icon_url') : '';
-  const iconUrl = query || 'https://github.com/hugovk.png?size=80';
+  const allowedDomain = 'github.com';
+  const iconUrl = query && new URL(query).hostname === allowedDomain ? query : 'https://github.com/hugovk.png?size=80';
 
     // Fetch the image and convert it to a Base64-encoded string. Revalidate cache every 30days.
     const imageResponse = await fetch(iconUrl, { next: { revalidate: 2592000 } });