diff --git a/lib/create-entity-finder-api.js b/lib/create-entity-finder-api.js
index 8d0f531..00a05b6 100644
--- a/lib/create-entity-finder-api.js
+++ b/lib/create-entity-finder-api.js
@@ -4,6 +4,8 @@ const IP_REGEX = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
 const ROOT_DOMAIN_REGEX = /[^.]+\.([^.]+|(gov|com|co|ne)\.\w{2})$/i
 
 function getDomainFromOriginOrURL(originOrURL) {
+  if (typeof originOrURL !== 'string') return null
+  if (originOrURL.length > 10000 || originOrURL.startsWith('data:')) return null
   if (DOMAIN_IN_URL_REGEX.test(originOrURL)) return originOrURL.match(DOMAIN_IN_URL_REGEX)[1]
   if (DOMAIN_CHARACTERS.test(originOrURL)) return originOrURL.match(DOMAIN_CHARACTERS)[0]
   throw new Error(`Unable to find domain in "${originOrURL}"`)
@@ -11,6 +13,7 @@ function getDomainFromOriginOrURL(originOrURL) {
 
 function getRootDomain(originOrURL) {
   const domain = getDomainFromOriginOrURL(originOrURL)
+  if (!domain) return null
   if (IP_REGEX.test(domain)) return domain
   const match = domain.match(ROOT_DOMAIN_REGEX)
   return (match && match[0]) || domain
@@ -19,6 +22,7 @@ function getRootDomain(originOrURL) {
 function getEntityInDataset(entityByDomain, entityByRootDomain, originOrURL) {
   const domain = getDomainFromOriginOrURL(originOrURL)
   const rootDomain = getRootDomain(domain)
+  if (!domain || !rootDomain) return undefined
   if (entityByDomain.has(domain)) return entityByDomain.get(domain)
   if (entityByRootDomain.has(rootDomain)) return entityByRootDomain.get(rootDomain)
   return undefined
diff --git a/lib/index.test.js b/lib/index.test.js
index c98224b..073a189 100644
--- a/lib/index.test.js
+++ b/lib/index.test.js
@@ -39,6 +39,11 @@ describe('getRootDomain', () => {
     expect(getRootDomain('*.hulce.photography')).toEqual('hulce.photography')
   })
 
+  it('runs on *massive* inputs', () => {
+    const massiveInput = '123456789'.repeat(100e3)
+    expect(getRootDomain(massiveInput)).toEqual(null)
+  })
+
   it('throws on invalid inputs', () => {
     expect(() => getRootDomain('this is not a domain')).toThrow()
     expect(() => getRootDomain('neither-is-this')).toThrow()
@@ -112,6 +117,11 @@ Object {
     expect(getEntity('http://fbcdn-photos-e-a.akamaihd.net/1234.jpg').name).toEqual('Facebook')
     expect(getEntity('http://unknown.akamaihd.net/1234.jpg').name).toEqual('Akamai')
   })
+
+  it('runs on *massive* inputs', () => {
+    const massiveInput = '123456789'.repeat(100e3)
+    expect(getEntity(massiveInput)).toEqual(undefined)
+  })
 })
 
 describe('build state', () => {