diff --git a/.env.example b/.env.example
index d87451b75..f5ed15a93 100644
--- a/.env.example
+++ b/.env.example
@@ -56,7 +56,7 @@ ACTIVITYPUB_SHAREDINBOX=false
 #   php artisan optimize:clear
 #   php artisan optimize
 
-PF_COSTAR_ENABLED=false
+PF_COSTAR_ENABLED=true
 CS_BLOCKED_DOMAINS='gab.com,gab.ai,develop.gab.com'
 CS_CW_DOMAINS='switter.at'
 CS_UNLISTED_DOMAINS='example.org,example.net,example.com'
diff --git a/app/Http/Controllers/Settings/PrivacySettings.php b/app/Http/Controllers/Settings/PrivacySettings.php
index d3283c921..8e987ab68 100644
--- a/app/Http/Controllers/Settings/PrivacySettings.php
+++ b/app/Http/Controllers/Settings/PrivacySettings.php
@@ -10,6 +10,7 @@ use App\Profile;
 use App\User;
 use App\UserFilter;
 use App\Util\Lexer\PrettyNumber;
+use App\Util\ActivityPub\Helpers;
 use Auth, Cache, DB;
 use Illuminate\Http\Request;
 
@@ -134,9 +135,13 @@ trait PrivacySettings
     public function blockedInstanceStore(Request $request)
     {
         $this->validate($request, [
-            'domain' => 'required|active_url'
+            'domain' => 'required|url|min:1|max:120'
         ]);
         $domain = $request->input('domain');
+        if(Helpers::validateUrl($domain) == false) {
+            return abort(400, 'Invalid domain');
+        }
+        $domain = parse_url($domain, PHP_URL_HOST);
         $instance = Instance::firstOrCreate(['domain' => $domain]);
         $filter = new UserFilter;
         $filter->user_id = Auth::user()->profile->id;
diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php
index f2c1169db..14e40cc40 100644
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@@ -146,9 +146,13 @@ class Helpers {
 
 		$host = parse_url($valid, PHP_URL_HOST);
 
+		if(count(dns_get_record($host, DNS_A | DNS_AAAA)) == 0) {
+			return false;
+		}
+
 		if(config('costar.enabled') == true) {
 			if(
-				(config('costar.domain.block') != null && in_array($host, config('costar.domain.block')) == true) || 
+				(config('costar.domain.block') != null && Str::contains($host, config('costar.domain.block')) == true) || 
 				(config('costar.actor.block') != null && in_array($url, config('costar.actor.block')) == true)
 			) {
 				return false;
diff --git a/app/Util/RateLimit/User.php b/app/Util/RateLimit/User.php
index 75e4b1c6e..c93aa6c4f 100644
--- a/app/Util/RateLimit/User.php
+++ b/app/Util/RateLimit/User.php
@@ -48,4 +48,9 @@ trait User {
 	{
 		return 500;
 	}
+
+	public function getMaxInstanceBansPerDayAttribute()
+	{
+		return 100;
+	}
 }
\ No newline at end of file
diff --git a/resources/views/settings/privacy/blocked-instances.blade.php b/resources/views/settings/privacy/blocked-instances.blade.php
index 34fb7d8fb..d7e6679f0 100644
--- a/resources/views/settings/privacy/blocked-instances.blade.php
+++ b/resources/views/settings/privacy/blocked-instances.blade.php
@@ -64,23 +64,34 @@
         },
       })
       .then(val => {
-        if (!val) throw null;
+        if (!val) {
+          swal.stopLoading();
+          swal.close();
+          return;
+        };
+        let msg = 'The URL you have entered is not valid, please try again.'
         try {
           let validator = new URL(val);
-          if(!validator.hostname) throw null;
+          if(!validator.hostname || validator.protocol != 'https:') {
+            swal.stopLoading();
+            swal.close();
+            swal('Invalid URL', msg, 'error');
+            return;
+          };
           axios.post(window.location.href, {
-            domain: validator.hostname
+            domain: validator.href
           }).then(res => {
             window.location.href = window.location.href;
           }).catch(err => {
             swal.stopLoading();
             swal.close();
-            swal('An Error Occured', 'An error occured, please try again later.', 'error');
+            swal('Invalid URL', msg, 'error');
+            return;
           });
         } catch(e) {
           swal.stopLoading();
           swal.close();
-          swal('An Error Occured', 'An error occured, please try again later.', 'error');
+          swal('Invalid URL', msg, 'error');
         }
       })
     });
diff --git a/routes/web.php b/routes/web.php
index ee4da9733..4efa82265 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -192,7 +192,7 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
         Route::get('privacy/blocked-users', 'SettingsController@blockedUsers')->name('settings.privacy.blocked-users');
         Route::post('privacy/blocked-users', 'SettingsController@blockedUsersUpdate');
         Route::get('privacy/blocked-instances', 'SettingsController@blockedInstances')->name('settings.privacy.blocked-instances');
-        Route::post('privacy/blocked-instances', 'SettingsController@blockedInstanceStore');
+        Route::post('privacy/blocked-instances', 'SettingsController@blockedInstanceStore')->middleware('throttle:maxInstanceBansPerDay,1440');
         Route::post('privacy/blocked-instances/unblock', 'SettingsController@blockedInstanceUnblock')->name('settings.privacy.blocked-instances.unblock');
         Route::get('privacy/blocked-keywords', 'SettingsController@blockedKeywords')->name('settings.privacy.blocked-keywords');