diff --git a/backend/server.js b/backend/server.js
index b19a13f..cc56c1b 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -67,6 +67,7 @@ const {
   addRequestId,
   sanitizeError,
 } = require("./middleware/security");
+const { sanitizeInput } = require("./middleware/validation");
 const { generalLimiter } = require("./middleware/rateLimiter");
 const errorLogger = require("./middleware/errorLogger");
 const apiLogger = require("./middleware/apiLogger");
@@ -134,6 +135,9 @@ app.use(
   })
 );
 
+// Apply input sanitization to all API routes (XSS prevention)
+app.use("/api/", sanitizeInput);
+
 // Serve static files from uploads directory with CORS headers
 app.use(
   "/uploads",