diff --git a/handshake/stk_generator.go b/handshake/stk_generator.go
index 497ef213e..c3caea3d2 100644
--- a/handshake/stk_generator.go
+++ b/handshake/stk_generator.go
@@ -89,6 +89,10 @@ func encodeRemoteAddr(remoteAddr net.Addr) []byte {
 
 // decodeRemoteAddr decodes the remote address saved in the STK
 func decodeRemoteAddr(data []byte) string {
+	// data will never be empty for an STK that we generated. Check it to be on the safe side
+	if len(data) == 0 {
+		return ""
+	}
 	if data[0] == stkPrefixIP {
 		return net.IP(data[1:]).String()
 	}
diff --git a/handshake/stk_generator_test.go b/handshake/stk_generator_test.go
index c3dd3aa79..cf9d53dba 100644
--- a/handshake/stk_generator_test.go
+++ b/handshake/stk_generator_test.go
@@ -63,6 +63,16 @@ var _ = Describe("STK Generator", func() {
 		Expect(err).To(MatchError("rest when unpacking token: 4"))
 	})
 
+	// we don't generate tokens that have no data, but we should be able to handle them if we receive one for whatever reason
+	It("doesn't panic if a tokens has no data", func() {
+		t, err := asn1.Marshal(token{Data: []byte("")})
+		Expect(err).ToNot(HaveOccurred())
+		enc, err := stkGen.stkSource.NewToken(t)
+		Expect(err).ToNot(HaveOccurred())
+		_, err = stkGen.DecodeToken(enc)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
 	It("works with an IPv6 addresses ", func() {
 		addresses := []string{
 			"2001:db8::68",