diff --git a/src/controllers/index.js b/src/controllers/index.js
index 1861422db9..5539cae729 100644
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@@ -286,7 +286,7 @@ Controllers.outgoing = function (req, res, next) {
 	var allowedProtocols = ['http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn', 'tel', 'fax', 'xmpp', 'webcal'];
 	var parsed = require('url').parse(url);
 
-	if (!url || !allowedProtocols.includes(parsed.protocol.slice(0, -1))) {
+	if (!url || !parsed.protocol || !allowedProtocols.includes(parsed.protocol.slice(0, -1))) {
 		return next();
 	}
 
diff --git a/test/controllers.js b/test/controllers.js
index 6293f60e2f..81d08e5572 100644
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -352,6 +352,15 @@ describe('Controllers', function () {
 		});
 	});
 
+	it('should 404 on /outgoing with invalid url', function (done) {
+		request(nconf.get('url') + '/outgoing?url=derp', function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 404);
+			assert(body);
+			done();
+		});
+	});
+
 	it('should load /tos', function (done) {
 		meta.config.termsOfUse = 'please accept our tos';
 		request(nconf.get('url') + '/tos', function (err, res, body) {