diff --git a/packet_unpacker.go b/packet_unpacker.go
index a826fe7a..6e50809d 100644
--- a/packet_unpacker.go
+++ b/packet_unpacker.go
@@ -49,6 +49,11 @@ func (u *packetUnpacker) Unpack(publicHeaderBinary []byte, hdr *PublicHeader, da
 			frame, err = frames.ParseStreamFrame(r)
 			if err != nil {
 				err = qerr.Error(qerr.InvalidStreamData, err.Error())
+			} else {
+				streamID := frame.(*frames.StreamFrame).StreamID
+				if streamID != 1 && encryptionLevel <= protocol.EncryptionUnencrypted {
+					err = qerr.Error(qerr.UnencryptedStreamData, fmt.Sprintf("received unencrypted stream data on stream %d", streamID))
+				}
 			}
 		} else if typeByte&0xc0 == 0x40 {
 			frame, err = frames.ParseAckFrame(r, u.version)
diff --git a/packet_unpacker_test.go b/packet_unpacker_test.go
index 799fcff9..008d853d 100644
--- a/packet_unpacker_test.go
+++ b/packet_unpacker_test.go
@@ -71,19 +71,6 @@ var _ = Describe("Packet unpacker", func() {
 		Expect(packet.encryptionLevel).To(Equal(protocol.EncryptionSecure))
 	})
 
-	It("unpacks STREAM frames", func() {
-		f := &frames.StreamFrame{
-			StreamID: 1,
-			Data:     []byte("foobar"),
-		}
-		err := f.Write(buf, 0)
-		Expect(err).ToNot(HaveOccurred())
-		setData(buf.Bytes())
-		packet, err := unpacker.Unpack(hdrBin, hdr, data)
-		Expect(err).ToNot(HaveOccurred())
-		Expect(packet.frames).To(Equal([]frames.Frame{f}))
-	})
-
 	It("unpacks ACK frames", func() {
 		unpacker.version = protocol.Version34
 		f := &frames.AckFrame{
@@ -235,4 +222,47 @@ var _ = Describe("Packet unpacker", func() {
 			Expect(err.(*qerr.QuicError).ErrorCode).To(Equal(e))
 		}
 	})
+
+	Context("unpacking STREAM frames", func() {
+		It("unpacks unencrypted STREAM frames on stream 1", func() {
+			unpacker.aead.(*mockAEAD).encLevelOpen = protocol.EncryptionUnencrypted
+			f := &frames.StreamFrame{
+				StreamID: 1,
+				Data:     []byte("foobar"),
+			}
+			err := f.Write(buf, 0)
+			Expect(err).ToNot(HaveOccurred())
+			setData(buf.Bytes())
+			packet, err := unpacker.Unpack(hdrBin, hdr, data)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(packet.frames).To(Equal([]frames.Frame{f}))
+		})
+
+		It("unpacks encrypted STREAM frames on stream 1", func() {
+			unpacker.aead.(*mockAEAD).encLevelOpen = protocol.EncryptionSecure
+			f := &frames.StreamFrame{
+				StreamID: 1,
+				Data:     []byte("foobar"),
+			}
+			err := f.Write(buf, 0)
+			Expect(err).ToNot(HaveOccurred())
+			setData(buf.Bytes())
+			packet, err := unpacker.Unpack(hdrBin, hdr, data)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(packet.frames).To(Equal([]frames.Frame{f}))
+		})
+
+		It("does not unpack unencrypted STREAM frames on higher streams", func() {
+			unpacker.aead.(*mockAEAD).encLevelOpen = protocol.EncryptionUnencrypted
+			f := &frames.StreamFrame{
+				StreamID: 3,
+				Data:     []byte("foobar"),
+			}
+			err := f.Write(buf, 0)
+			Expect(err).ToNot(HaveOccurred())
+			setData(buf.Bytes())
+			_, err = unpacker.Unpack(hdrBin, hdr, data)
+			Expect(err).To(MatchError(qerr.Error(qerr.UnencryptedStreamData, "received unencrypted stream data on stream 3")))
+		})
+	})
 })