diff --git a/app/controllers/draft_controller.rb b/app/controllers/draft_controller.rb
index 9537634cd74..8fb9c0a6eb2 100644
--- a/app/controllers/draft_controller.rb
+++ b/app/controllers/draft_controller.rb
@@ -11,6 +11,8 @@ class DraftController < ApplicationController
   end
 
   def update
+    raise Discourse::NotFound.new if params[:draft_key].blank?
+
     sequence =
       begin
         Draft.set(
diff --git a/spec/requests/draft_controller_spec.rb b/spec/requests/draft_controller_spec.rb
index 161980b143e..7663a5118d6 100644
--- a/spec/requests/draft_controller_spec.rb
+++ b/spec/requests/draft_controller_spec.rb
@@ -21,6 +21,12 @@ describe DraftController do
     expect(Draft.get(user, 'xyz', 0)).to eq(%q({"my":"data"}))
   end
 
+  it "returns 404 when the key is missing" do
+    user = sign_in(Fabricate(:user))
+    post "/draft.json", params: { data: { my: "data" }.to_json, sequence: 0 }
+    expect(response.status).to eq(404)
+  end
+
   it 'checks for an conflict on update' do
     user = sign_in(Fabricate(:user))
     post = Fabricate(:post, user: user)