diff --git a/cmd/local-user-authenticator/main.go b/cmd/local-user-authenticator/main.go
index eafac9be..297eba69 100644
--- a/cmd/local-user-authenticator/main.go
+++ b/cmd/local-user-authenticator/main.go
@@ -109,12 +109,11 @@ func (w *webhook) start(ctx context.Context, l net.Listener) error {
 }
 
 func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
-	defer req.Body.Close()
-
 	username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
 	if err != nil {
 		return
 	}
+	defer req.Body.Close()
 
 	secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
 	notFound := k8serrors.IsNotFound(err)
@@ -184,6 +183,12 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
 		return "", "", invalidRequest
 	}
 
+	if req.Body == nil {
+		klog.InfoS("invalid nil body")
+		rsp.WriteHeader(http.StatusBadRequest)
+		return "", "", invalidRequest
+	}
+
 	var body authenticationv1beta1.TokenReview
 	if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
 		klog.InfoS("failed to decode body", "err", err)