diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2a91a648a..148e70548 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -597,6 +597,11 @@ class ApplicationController < ActionController::Base
       offset = (params[:page].to_i - 1) * params[:per_page].to_i
       limit = params[:per_page].to_i
     end
+
+    if per_page > 500
+      per_page = 500
+    end
+
     generic_objects = if offset > 0
                         object.limit(params[:per_page]).offset(offset).limit(limit)
                       else
diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb
index 287150315..47864343f 100644
--- a/app/controllers/organizations_controller.rb
+++ b/app/controllers/organizations_controller.rb
@@ -55,6 +55,10 @@ curl http://localhost/api/v1/organizations -v -u #{login}:#{password}
       per_page = params[:per_page].to_i
     end
 
+    if per_page > 500
+      per_page = 500
+    end
+
     # only allow customer to fetch his own organization
     organizations = []
     if !current_user.permissions?('admin.organization') && !current_user.permissions?('ticket.agent')
@@ -227,6 +231,10 @@ curl http://localhost/api/v1/organization/{id} -v -u #{login}:#{password} -H "Co
       params[:limit] = params[:page].to_i * params[:per_page].to_i
     end
 
+    if params[:limit] && params[:limit].to_i > 500
+      params[:limit].to_i = 500
+    end
+
     query_params = {
       query: params[:query],
       limit: params[:limit],
diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index 93b55e292..f78926e98 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -13,6 +13,10 @@ class TicketsController < ApplicationController
       per_page = params[:per_page].to_i
     end
 
+    if per_page > 100
+      per_page = 100
+    end
+
     access_condition = Ticket.access_condition(current_user)
     tickets = Ticket.where(access_condition).offset(offset).limit(per_page)
 
@@ -397,6 +401,15 @@ class TicketsController < ApplicationController
       params.require(:condition).permit!
     end
 
+    # set limit for pagination if needed
+    if params[:page] && params[:per_page]
+      params[:limit] = params[:page].to_i * params[:per_page].to_i
+    end
+
+    if params[:limit] && params[:limit].to_i > 100
+      params[:limit].to_i = 100
+    end
+
     # build result list
     tickets = Ticket.search(
       limit: params[:limit],
@@ -405,6 +418,12 @@ class TicketsController < ApplicationController
       current_user: current_user,
     )
 
+    # do pagination if needed
+    if params[:page] && params[:per_page]
+      offset = (params[:page].to_i - 1) * params[:per_page].to_i
+      tickets = tickets.slice(offset, params[:per_page].to_i) || []
+    end
+
     if params[:expand]
       list = []
       tickets.each { |ticket|
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 520540762..40e31fb62 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -20,6 +20,10 @@ class UsersController < ApplicationController
       per_page = params[:per_page].to_i
     end
 
+    if per_page > 500
+      per_page = 500
+    end
+
     # only allow customer to fetch him self
     users = if !current_user.permissions?('admin.user') && !current_user.permissions?('ticket.agent')
               User.where(id: current_user.id).offset(offset).limit(per_page)
@@ -333,6 +337,10 @@ class UsersController < ApplicationController
       params[:limit] = params[:page].to_i * params[:per_page].to_i
     end
 
+    if params[:limit] && params[:limit].to_i > 500
+      params[:limit].to_i = 500
+    end
+
     query_params = {
       query: params[:query],
       limit: params[:limit],