diff --git a/src/web/mod.rs b/src/web/mod.rs
index 5e0e21f2..3b910e73 100644
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@@ -1,6 +1,7 @@
 use askama::Template;
 use axum::{
 	Router,
+	extract::rejection::{FormRejection, QueryRejection},
 	http::{HeaderValue, StatusCode, header},
 	response::{Html, IntoResponse, Response},
 };
@@ -18,6 +19,12 @@ enum WebError {
 	Render(#[from] askama::Error),
 	#[error("Failed to validate form body: {0}")]
 	ValidationError(#[from] validator::ValidationErrors),
+
+	#[error("{0}")]
+	QueryRejection(#[from] QueryRejection),
+	#[error("{0}")]
+	FormRejection(#[from] FormRejection),
+
 	#[error("Bad request: {0}")]
 	BadRequest(String),
 	#[error("This page does not exist.")]
@@ -35,7 +42,10 @@ impl IntoResponse for WebError {
 			status: StatusCode,
 		}
 		let status = match &self {
-			| Self::ValidationError(_) | Self::BadRequest(_) => StatusCode::BAD_REQUEST,
+			| Self::ValidationError(_)
+			| Self::BadRequest(_)
+			| Self::QueryRejection(_)
+			| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
 			| Self::NotFound => StatusCode::NOT_FOUND,
 			| _ => StatusCode::INTERNAL_SERVER_ERROR,
 		};
diff --git a/src/web/pages/password_reset.rs b/src/web/pages/password_reset.rs
index dc2f25f2..cc66d69f 100644
--- a/src/web/pages/password_reset.rs
+++ b/src/web/pages/password_reset.rs
@@ -1,7 +1,10 @@
 use askama::Template;
 use axum::{
 	Router,
-	extract::{Query, State},
+	extract::{
+		Query, State,
+		rejection::{FormRejection, QueryRejection},
+	},
 	http::StatusCode,
 	response::{Html, IntoResponse, Response},
 	routing::get,
@@ -78,16 +81,21 @@ async fn password_reset_form(
 
 async fn get_password_reset(
 	State(services): State<crate::State>,
-	Query(query): Query<PasswordResetQuery>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
 ) -> Result<impl IntoResponse, WebError> {
+	let Query(query) = query?;
+
 	password_reset_form(services, query, PasswordResetForm::build(None)).await
 }
 
 async fn post_password_reset(
 	State(services): State<crate::State>,
-	Query(query): Query<PasswordResetQuery>,
-	axum::Form(form): axum::Form<PasswordResetForm>,
+	query: Result<Query<PasswordResetQuery>, QueryRejection>,
+	form: Result<axum::Form<PasswordResetForm>, FormRejection>,
 ) -> Result<Response, WebError> {
+	let Query(query) = query?;
+	let axum::Form(form) = form?;
+
 	match form.validate() {
 		| Ok(()) => {
 			let Some(token) = services.password_reset.check_token(&query.token).await else {