diff --git a/rest_api/sawtooth_rest_api/route_handlers.py b/rest_api/sawtooth_rest_api/route_handlers.py
index 3166c5eaa4..8dbb30e66e 100644
--- a/rest_api/sawtooth_rest_api/route_handlers.py
+++ b/rest_api/sawtooth_rest_api/route_handlers.py
@@ -262,7 +262,7 @@ async def list_state(self, request):
             paging: Paging info and nav, like total resources and a next link
         """
         paging_controls = self._get_paging_controls(request)
-
+        head_id=self._state_head_id(request)
         head, root = await self._head_to_root(request.url.query.get(
             'head', None))
         validator_query = client_state_pb2.ClientStateListRequest(
@@ -1007,6 +1007,17 @@ def _get_head_id(cls, request):
 
         return head_id
 
+    @classmethod
+    def _state_head_id(cls, request):
+        """Fetches the request's head query, and validates if present.
+        """
+        head_id = request.url.query.get('head', None)
+
+        if head_id is not None:
+            cls._validate_state_id(head_id)
+
+        return head_id    
+
     @classmethod
     def _get_filter_ids(cls, request):
         """Parses the `id` filter paramter from the url query.
@@ -1022,6 +1033,14 @@ def _get_filter_ids(cls, request):
 
         return filter_ids
 
+    @staticmethod
+    def _validate_state_id(resource_id):
+        """Confirms a header_signature is 70 hex characters, raising an
+        ApiError if not.
+        """
+        if not re.fullmatch('[0-9a-f]{70}', resource_id):
+            raise errors.InvalidStateAddress(resource_id)
+
     @staticmethod
     def _validate_id(resource_id):
         """Confirms a header_signature is 128 hex characters, raising an