diff --git a/app/room.py b/app/room.py
index 09afe24..e870316 100644
--- a/app/room.py
+++ b/app/room.py
@@ -92,6 +92,12 @@ class RoomManager:
                     except (WebSocketDisconnect, RuntimeError):
                         break
                     continue
+                if not isinstance(data, dict):
+                    try:
+                        await websocket.send_json({"type": "error", "code": "bad_message", "message": "Message must be a JSON object"})
+                    except (WebSocketDisconnect, RuntimeError):
+                        break
+                    continue
                 msg_type = data.get("type")
                 if msg_type == "ping":
                     await websocket.send_json({"type": "pong"})
@@ -119,6 +125,12 @@ class RoomManager:
                     except (WebSocketDisconnect, RuntimeError):
                         break
                     continue
+                if not isinstance(data, dict):
+                    try:
+                        await websocket.send_json({"type": "error", "code": "bad_message", "message": "Message must be a JSON object"})
+                    except (WebSocketDisconnect, RuntimeError):
+                        break
+                    continue
                 msg_type = data.get("type")
                 if msg_type == "ping":
                     await websocket.send_json({"type": "pong"})
@@ -268,7 +280,7 @@ class RoomManager:
             qidx = int(question_idx)
         except (TypeError, ValueError):
             return {"type": "error", "code": "bad_question", "message": "Invalid question index"}
-        if answer not in {"A", "B", "C", "D"}:
+        if not isinstance(answer, str) or answer not in {"A", "B", "C", "D"}:
             return {"type": "error", "code": "bad_answer", "message": "Answer must be A, B, C, or D"}
         async with self.locks[sid]:
             session = await self.get_session(sid)