diff --git a/hagrid-routes.conf b/hagrid-routes.conf
index ba326bb..67ef6a0 100644
--- a/hagrid-routes.conf
+++ b/hagrid-routes.conf
@@ -79,18 +79,23 @@ location /vks/v1/ {
 
 # Common HKP requests.
 location /pks/lookup {
-    # rewrite this to a path we can match on (right below)
-    if ($args ~ "op=.*search=") {
-        # urldecode the search parameter
-        set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"%%(%x%x)\", function(x) return string.char(tonumber(x, 16)) end)" $arg_search;
-        # if the search argument contains angle brackets, strip everything around them
-        set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"^.*<([^>]-)>.*$\", \"%1\")" $arg_search_decoded;
-        rewrite . /pks/internal/$arg_op/$arg_search_decoded last;
+    if ($arg_op !~ "^index|get$") {
+        add_header 'Access-Control-Allow-Origin' '*';
+        error_page 400 /errors-static/400-pks-invalid.htm;
+        return 400;
+    }
+    if ($arg_search = '') {
+        add_header 'Access-Control-Allow-Origin' '*';
+        error_page 400 /errors-static/400-pks-invalid.htm;
+        return 400;
     }
 
-    add_header 'Access-Control-Allow-Origin' '*';
-    error_page 400 /errors-static/400-pks-invalid.htm;
-    return 400;
+    # rewrite this to a path we can match on (right below)
+    # urldecode the search parameter
+    set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"%%(%x%x)\", function(x) return string.char(tonumber(x, 16)) end)" $arg_search;
+    # if the search argument contains angle brackets, strip everything around them
+    set_by_lua $arg_search_decoded "return ngx.arg[1]:gsub(\"^.*<([^>]-)>.*$\", \"%1\")" $arg_search_decoded;
+    rewrite . /pks/internal/$arg_op/$arg_search_decoded last;
 }
 
 # WKD requests