diff --git a/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs b/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
index 3f082d72..1c9edc5c 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/AccountController.cs
@@ -1,3 +1,4 @@
+using System.ComponentModel.DataAnnotations;
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
 using System.Net.Mime;
@@ -171,7 +172,7 @@ public class AccountController(
 	[HttpGet]
 	[ProducesResults(HttpStatusCode.OK)]
 	[ProducesErrors(HttpStatusCode.Forbidden)]
-	public async Task<IEnumerable<AccountEntity>> GetManyUsers([FromQuery(Name = "id")] List<string> ids)
+	public async Task<IEnumerable<AccountEntity>> GetManyUsers([FromQuery(Name = "id")] [MaxLength(40)] HashSet<string> ids)
 	{
 		var localUser = HttpContext.GetUser();
 		if (config.Value.PublicPreview == Enums.PublicPreview.Lockdown && localUser == null)
diff --git a/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs b/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
index 2440883b..4d63dc34 100644
--- a/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
+++ b/Iceshrimp.Backend/Controllers/Mastodon/StatusController.cs
@@ -1,3 +1,4 @@
+using System.ComponentModel.DataAnnotations;
 using System.Net;
 using System.Net.Mime;
 using AsyncKeyedLock;
@@ -75,7 +76,7 @@ public class StatusController(
 	[Authenticate("read:statuses")]
 	[ProducesResults(HttpStatusCode.OK)]
 	[ProducesErrors(HttpStatusCode.Forbidden)]
-	public async Task<IEnumerable<StatusEntity>> GetManyNotes([FromQuery(Name = "id")] List<string> ids)
+	public async Task<IEnumerable<StatusEntity>> GetManyNotes([FromQuery(Name = "id")] [MaxLength(20)] HashSet<string> ids)
 	{
 		var user = HttpContext.GetUser();
 		if (security.Value.PublicPreview == Enums.PublicPreview.Lockdown && user == null)