diff --git a/index.js b/index.js
index 8776356..053315f 100644
--- a/index.js
+++ b/index.js
@@ -176,11 +176,16 @@ function catchExceptionsJson(wrapped) {
 async function getGameListHandler(req, res, next) {
   res.set('Cache-Control', 'no-store');
 
-  const afterTime = req.params.afterTime;
+  const afterTime =
+    (typeof req.params.afterTime === 'string') ?
+      Number(req.params.afterTime) :
+      undefined;
 
-  if (afterTime !== undefined && !afterTime.match(/^\d+$/)) {
-    res.status(400).json({ message: 'malformed time' });
-    return;
+  if (afterTime !== undefined) {
+    if (!Number.isInteger(afterTime) || String(afterTime) !== req.params.afterTime) {
+      res.status(400).json({ message: 'malformed time' });
+      return;
+    }
   }
 
   const pollTimeout = waitFor(POLLING_TIMEOUT).then(() => 'timeout').catch(()=>{});
@@ -197,7 +202,7 @@ async function getGameListHandler(req, res, next) {
       LIMIT 1000
     `;
     const results = await (await dbInit).allAsync(querySql, {
-      $afterTime: checkInteger(Number(afterTime), 'afterTime', 0),
+      $afterTime: afterTime,
       $cutoff: cutoff,
     });
 
@@ -224,14 +229,18 @@ async function getGameHandler(req, res, next) {
   res.set('Cache-Control', 'no-store');
 
   const gameId = req.params.gameId;
-  const afterTime = req.params.afterTime;
 
-  if (!gameId.match(/^[0-9a-f]{16}$/)) {
+  if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
     res.status(400).json({ message: 'malformed game ID' });
     return;
   }
 
-  if (afterTime !== undefined && !afterTime.match(/^\d+$/)) {
+  const afterTime =
+    (typeof req.params.afterTime === 'string') ?
+      Number(req.params.afterTime) :
+      undefined;
+
+  if (afterTime !== undefined && String(afterTime) !== req.params.afterTime) {
     res.status(400).json({ message: 'malformed time' });
     return;
   }
@@ -305,13 +314,14 @@ async function postGameHandler(req, res, next) {
   res.set('Cache-Control', 'no-store');
 
   const gameId = req.params.gameId;
-  const body = validateUpdate(req.body);
 
-  if (!gameId.match(/^[0-9a-f]{16}$/)) {
+  if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
     res.status(400).json({ message: 'malformed game ID' });
     return;
   }
 
+  const body = validateUpdate(req.body);
+
   if (!body) {
     res.status(400).json({ message: 'invalid request' });
     return;
@@ -331,11 +341,6 @@ async function postGameHandler(req, res, next) {
     $time: time,
   };
 
-  if (params.$modified >= params.$time) {
-    res.status(400).json({ message: 'invalid modification time' });
-    return;
-  }
-
   let setClause = '';
   let whereClause = '';
   let hasBoard = false;