diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
index 2963c56653..d1c8a4ee47 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
@@ -8,6 +8,7 @@ import UserSessionsManager from '../User/UserSessionsManager.js'
 import OError from '@overleaf/o-error'
 import EmailsHelper from '../Helpers/EmailHelper.js'
 import { expressify } from '@overleaf/promise-utils'
+import { z, validateReq } from '../../infrastructure/Validation.js'
 
 async function setNewUserPassword(req, res, next) {
   let user
@@ -195,8 +196,15 @@ async function renderSetPasswordForm(req, res, next) {
   })
 }
 
+const renderRequestResetFormSchema = z.object({
+  query: z.object({
+    error: z.string().optional(),
+  }),
+})
+
 async function renderRequestResetForm(req, res) {
-  const errorQuery = req.query.error
+  const { query } = validateReq(req, renderRequestResetFormSchema)
+  const errorQuery = query.error
   let error = null
   if (errorQuery === 'token_expired') {
     error = 'password_reset_token_expired'
diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
index 79cbeaf3f8..fa3f11347c 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetRouter.mjs
@@ -18,9 +18,6 @@ export default {
 
     webRouter.get(
       '/user/password/reset',
-      validate({
-        query: { error: Joi.string() },
-      }),
       PasswordResetController.renderRequestResetForm
     )
     webRouter.post(