diff --git a/Gemfile b/Gemfile
index f6b8c486..9c7fb3fb 100644
--- a/Gemfile
+++ b/Gemfile
@@ -16,6 +16,7 @@ gem 'filesize'
 gem 'paperclip'
 gem 'rmagick'
 gem 'image_processing'
+gem 'active_storage_validations'
 
 # Authentication
 gem 'devise'
diff --git a/Gemfile.lock b/Gemfile.lock
index e60c36df..d44d7c6f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -79,6 +79,8 @@ GEM
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
     active_record_union (1.3.0)
       activerecord (>= 4.0)
+    active_storage_validations (0.8.5)
+      rails (>= 5.2.0)
     activejob (6.0.2)
       activesupport (= 6.0.2)
       globalid (>= 0.3.6)
@@ -1470,6 +1472,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  active_storage_validations
   acts_as_list
   animate-rails
   authority
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 39719420..3ebacbb9 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -67,6 +67,7 @@ class RegistrationsController < Devise::RegistrationsController
   def attach_avatar
     return unless account_update_params.key?('avatar')
 
+    current_user.avatar.purge
     current_user.avatar.attach(account_update_params.fetch('avatar', nil))
   end
 
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index bdcac941..82653961 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -58,6 +58,7 @@ class UsersController < ApplicationController
 
     report_user_deletion_to_slack(current_user)
 
+    current_user.avatar.purge
     current_user.really_destroy!
 
     redirect_to(root_path, notice: 'Your account has been deleted. We will miss you greatly!')
diff --git a/app/models/users/user.rb b/app/models/users/user.rb
index 82a5d802..e09d4340 100644
--- a/app/models/users/user.rb
+++ b/app/models/users/user.rb
@@ -52,10 +52,24 @@ class User < ApplicationRecord
   has_many :notice_dismissals,            dependent: :destroy
 
   has_one_attached :avatar
+  validates :avatar, attached: true,
+    content_type: {
+      in: ['image/png', 'image/jpg', 'image/jpeg', 'image/gif'],
+      message: 'must be a PNG, JPG, JPEG, or GIF'
+    },
+    dimension: { 
+      width: { max: 1000 },
+      height: { max: 1000 }, 
+      message: 'must be smaller than 1000x1000 pixels'
+    },
+    size: { 
+      less_than: 500.kilobytes, 
+      message: "can't be larger than 500KB"
+    }
 
   def contributable_universes
     @user_contributable_universes ||= begin
-      # todo email confirmation needs to happy for data safety / privacy (only verified emails)
+      # todo email confirmation needs to happen for data safety / privacy (only verified emails)
       contributor_ids = Contributor.where('email = ? OR user_id = ?', self.email, self.id).pluck(:universe_id)
 
       Universe.where(id: contributor_ids)