diff --git a/core/core.js b/core/core.js
index 1fc3173d..cea15bb0 100644
--- a/core/core.js
+++ b/core/core.js
@@ -630,10 +630,9 @@ async function blobHandler(request, response, blobId, uri) {
 			}
 		}
 	} else if (uri == "/save") {
-		let newBlobId = await ssb.blobStore(request.body);
-
 		var match;
 		if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
+			let newBlobId = await ssb.blobStore(request.body);
 			var user = match[1];
 			var appName = match[2];
 			var credentials = auth.query(request.headers);
@@ -660,10 +659,14 @@ async function blobHandler(request, response, blobId, uri) {
 				response.end("401 Unauthorized");
 				return;
 			}
+
+			response.writeHead(200, {"Content-Type": "text/plain; charset=utf-8"});
+			response.end("/" + newBlobId);
+		} else {
+			response.writeHead(400, {"Content-Type": "text/plain; charset=utf-8"});
+			response.end('Invalid name.');
 		}
 
-		response.writeHead(200, {"Content-Type": "text/plain; charset=utf-8"});
-		response.end("/" + newBlobId);
 	} else if (uri == "/delete") {
 		let match;
 		if (match = /^\/\~(\w+)\/(\w+)$/.exec(blobId)) {
diff --git a/core/httpd.js b/core/httpd.js
index 7d48ce4a..6f907459 100644
--- a/core/httpd.js
+++ b/core/httpd.js
@@ -94,6 +94,7 @@ function Response(request, client) {
 		200: 'OK',
 		303: 'See other',
 		304: 'Not Modified',
+		400: 'Bad Request',
 		403: 'Forbidden',
 		404: 'File not found',
 		500: 'Internal server error',