diff --git a/backend/src/api/routes/presets.ts b/backend/src/api/routes/presets.ts
index f02d85694..8a68f8825 100644
--- a/backend/src/api/routes/presets.ts
+++ b/backend/src/api/routes/presets.ts
@@ -46,11 +46,11 @@ router.patch(
   RateLimit.presetsEdit,
   validateRequest({
     body: {
-      _id: joi.string().required(),
+      _id: joi.string().token().required(),
       name: presetNameSchema,
       config: configSchema
         .keys({
-          tags: joi.array().items(joi.string()),
+          tags: joi.array().items(joi.string().token().max(50)),
         })
         .allow(null),
     },
@@ -64,7 +64,7 @@ router.delete(
   RateLimit.presetsRemove,
   validateRequest({
     params: {
-      presetId: joi.string().required(),
+      presetId: joi.string().token().required(),
     },
   }),
   asyncHandler(PresetController.removePreset)
diff --git a/backend/src/api/schemas/filter-schema.ts b/backend/src/api/schemas/filter-schema.ts
index 91499bbf0..793407b24 100644
--- a/backend/src/api/schemas/filter-schema.ts
+++ b/backend/src/api/schemas/filter-schema.ts
@@ -79,9 +79,12 @@ const FILTER_SCHEMA = {
       all: joi.bool().required(),
     })
     .required(),
-  tags: joi.object().required(),
-  language: joi.object().required(),
-  funbox: joi.object().required(),
+  tags: joi.object().pattern(joi.string().token(), joi.bool()).required(),
+  language: joi
+    .object()
+    .pattern(joi.string().pattern(/^[a-zA-Z0-9_+]+$/), joi.bool())
+    .required(),
+  funbox: joi.object().pattern(/\w+/, joi.bool()).required(),
 };
 
 export default FILTER_SCHEMA;