diff --git a/atst/forms/task_order.py b/atst/forms/task_order.py
index c9c9e19b..cb1571b1 100644
--- a/atst/forms/task_order.py
+++ b/atst/forms/task_order.py
@@ -7,7 +7,7 @@ from wtforms.fields import (
     HiddenField,
 )
 from wtforms.fields.html5 import DateField
-from wtforms.validators import Required, Optional
+from wtforms.validators import Required, Optional, Length
 from flask_wtf import FlaskForm
 
 from .data import JEDI_CLIN_TYPES
@@ -65,8 +65,13 @@ class CLINForm(FlaskForm):
 
 
 class AttachmentForm(BaseForm):
-    filename = HiddenField(id="attachment_filename")
-    object_name = HiddenField(id="attachment_object_name")
+    filename = HiddenField(
+        id="attachment_filename",
+        validators=[
+            Length(max=100, message="Filename may be no longer than 100 characters.")
+        ],
+    )
+    object_name = HiddenField(id="attachment_object_name", validators=[Length(max=40)])
     accept = ".pdf,application/pdf"
 
 
diff --git a/tests/routes/task_orders/test_new.py b/tests/routes/task_orders/test_new.py
index 478baedf..29180c5c 100644
--- a/tests/routes/task_orders/test_new.py
+++ b/tests/routes/task_orders/test_new.py
@@ -7,6 +7,7 @@ from atst.models.task_order import Status as TaskOrderStatus
 from atst.models import TaskOrder
 
 from tests.factories import CLINFactory, PortfolioFactory, TaskOrderFactory, UserFactory
+from tests.utils import captured_templates
 
 
 def build_pdf_form_data(filename="sample.pdf", object_name="object_name"):
@@ -101,6 +102,42 @@ def test_task_orders_submit_form_step_one_add_pdf_delete_pdf(
     assert response.status_code == 302
 
 
+def test_task_orders_submit_form_step_one_validates_filename(
+    app, client, user_session, portfolio
+):
+    user_session(portfolio.owner)
+    with captured_templates(app) as templates:
+        client.post(
+            url_for(
+                "task_orders.submit_form_step_one_add_pdf", portfolio_id=portfolio.id
+            ),
+            data={"pdf-filename": "a" * 1024},
+            follow_redirects=True,
+        )
+
+        _, context = templates[-1]
+
+        assert "filename" in context["form"].pdf.errors
+
+
+def test_task_orders_submit_form_step_one_validates_object_name(
+    app, client, user_session, portfolio
+):
+    user_session(portfolio.owner)
+    with captured_templates(app) as templates:
+        client.post(
+            url_for(
+                "task_orders.submit_form_step_one_add_pdf", portfolio_id=portfolio.id
+            ),
+            data={"pdf-object_name": "a" * 41},
+            follow_redirects=True,
+        )
+
+        _, context = templates[-1]
+
+        assert "object_name" in context["form"].pdf.errors
+
+
 def test_task_orders_form_step_two_add_number(client, user_session, task_order):
     user_session(task_order.creator)
     response = client.get(