diff --git a/pxyconn.c b/pxyconn.c
index a987a45..19fad01 100644
--- a/pxyconn.c
+++ b/pxyconn.c
@@ -899,6 +899,7 @@ static int
 pxy_ocsp_is_valid_uri(const char *uri)
 {
 	char *buf_url;
+	size_t sz_url;
 	char *buf_b64;
 	size_t sz_b64;
 	unsigned char *buf_asn1;
@@ -908,7 +909,24 @@ pxy_ocsp_is_valid_uri(const char *uri)
 	buf_url = strrchr(uri, '/');
 	if (!buf_url)
 		return 0;
-	buf_b64 = url_dec(buf_url, strlen(buf_url), &sz_b64);
+	buf_url++;
+
+	/*
+	 * Do some quick checks to avoid unnecessary buffer allocations and
+	 * decoding URL, Base64 and ASN.1:
+	 * -   OCSP requests begin with a SEQUENCE (0x30), so the first Base64
+	 *     byte is 'M' or, unlikely but legal, the URL encoding thereof.
+	 * -   There should be no query string in OCSP GET requests.
+	 * -   Encoded OCSP request ASN.1 blobs are longer than 32 bytes.
+	 */
+	if (buf_url[0] != 'M' && buf_url[0] != '%')
+		return 0;
+	if (strchr(uri, '?'))
+		return 0;
+	sz_url = strlen(buf_url);
+	if (sz_url < 32)
+		return 0;
+	buf_b64 = url_dec(buf_url, sz_url, &sz_b64);
 	if (!buf_b64)
 		return 0;
 	buf_asn1 = base64_dec(buf_b64, sz_b64, &sz_asn1);