diff --git a/http_handler_test.go b/http_handler_test.go
index 9da3dc7b5..a4e9bcdf7 100644
--- a/http_handler_test.go
+++ b/http_handler_test.go
@@ -23,6 +23,7 @@ package zap_test
 import (
 	"encoding/json"
 	"errors"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -215,3 +216,44 @@ type brokenHTTPResponseWriter struct {
 func (w *brokenHTTPResponseWriter) Write([]byte) (int, error) {
 	return 0, errors.New("great sadness")
 }
+
+func TestAtomicLevelServeHTTPBadLevel(t *testing.T) {
+	srv := httptest.NewServer(zap.NewAtomicLevel())
+	defer srv.Close()
+
+	req, err := http.NewRequest(http.MethodPut, srv.URL, strings.NewReader(`{"level":"<script>alert(\"malicious\")</script>"}`))
+	require.NoError(t, err, "Error constructing request.")
+
+	res, err := http.DefaultClient.Do(req)
+	require.NoError(t, err, "Error making request.")
+	defer func() {
+		assert.NoError(t, res.Body.Close(), "Error closing response body.")
+	}()
+
+	assert.Equal(t, http.StatusBadRequest, res.StatusCode, "Unexpected status code.")
+	resBody, err := io.ReadAll(res.Body)
+	require.NoError(t, err, "Error reading response body.")
+
+	assert.Contains(t, string(resBody), "unrecognized level", "Unexpected error message.")
+	assert.NotContains(t, string(resBody), "<script>", "Unexpected error message.")
+}
+
+func FuzzAtomicLevelServeHTTP(f *testing.F) {
+	f.Add(`{"level":"info"}`)
+	f.Add(`{"level":"warn"}`)
+	f.Add(`{"level":"<script>alert(\"malicious\")</script>"}`)
+	f.Fuzz(func(t *testing.T, input string) {
+		lvl := zap.NewAtomicLevel()
+
+		resw := httptest.NewRecorder()
+		req, err := http.NewRequest(http.MethodPut, "http://localhost:9999/log/level", strings.NewReader(input))
+		require.NoError(t, err, "Error constructing request.")
+
+		lvl.ServeHTTP(resw, req)
+
+		require.NotEqual(t, http.StatusInternalServerError, resw.Code, "Unexpected status code.")
+
+		// Response body must never contain HTML tags.
+		assert.NotRegexp(t, `<[^>]+>`, resw.Body.String(), "Unexpected HTML tag in response body.")
+	})
+}