diff --git a/CHANGELOG.md b/CHANGELOG.md
index 83454db9..1562f596 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ All notable changes to this project will be documented in this file.
 - Fix a crash during login when user's profile does not exist (#77)
 - Drop API support for GET, DELETE requests with a request body
 - Add missing @csrf_exempt annotations in API views
+- Fix the ping handler to reject status codes > 255
 
 ## v1.22.0 - 2020-08-06
 
diff --git a/hc/api/tests/test_ping.py b/hc/api/tests/test_ping.py
index 6f39a381..91c1bcf7 100644
--- a/hc/api/tests/test_ping.py
+++ b/hc/api/tests/test_ping.py
@@ -249,3 +249,7 @@ class PingTestCase(BaseTestCase):
         ping = Ping.objects.get()
         self.assertEqual(ping.kind, "fail")
         self.assertEqual(ping.exitstatus, 123)
+
+    def test_it_rejects_exit_status_over_255(self):
+        r = self.client.get(self.url + "/256")
+        self.assertEqual(r.status_code, 400)
diff --git a/hc/api/views.py b/hc/api/views.py
index d726e55e..6054dfbd 100644
--- a/hc/api/views.py
+++ b/hc/api/views.py
@@ -35,6 +35,9 @@ def ping(request, code, check=None, action="success", exitstatus=None):
     if check is None:
         check = get_object_or_404(Check, code=code)
 
+    if exitstatus is not None and exitstatus > 255:
+        return HttpResponseBadRequest("invalid url format")
+
     headers = request.META
     remote_addr = headers.get("HTTP_X_FORWARDED_FOR", headers["REMOTE_ADDR"])
     remote_addr = remote_addr.split(",")[0]