diff --git a/CHANGES b/CHANGES
index 2b4cd02df..bd2920868 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1404,4 +1404,5 @@
 [3.3.0]
 * Use new addons with REST APIs
 * Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
 
diff --git a/src/apps.js b/src/apps.js
index 2d5cc4121..433a9289f 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -291,6 +291,16 @@ function validateBackupFormat(format) {
     return new AppsError(AppsError.BAD_FIELD, 'Invalid backup format');
 }
 
+function validateEnv(env) {
+    for (let key in env) {
+        if (key.length > 512) return new AppsError(AppsError.BAD_FIELD, 'Max env var key length is 512');
+        // http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html
+        if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) return new AppsError(AppsError.BAD_FIELD, `"${key}" is not a valid environment variable`);
+    }
+
+    return null;
+}
+
 function getDuplicateErrorDetails(location, portBindings, error) {
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof portBindings, 'object');
@@ -575,6 +585,9 @@ function install(data, user, auditSource, callback) {
         // if sso was unspecified, enable it by default if possible
         if (sso === null) sso = !!manifest.addons['ldap'] || !!manifest.addons['oauth'];
 
+        error = validateEnv(env);
+        if (error) return callback(error);
+
         var appId = uuid.v4();
 
         if (icon) {
@@ -737,6 +750,8 @@ function configure(appId, data, user, auditSource, callback) {
 
         if ('env' in data) {
             values.env = data.env;
+            error = validateEnv(data.env);
+            if (error) return callback(error);
         }
 
         domains.get(domain, function (error, domainObject) {