diff --git a/index.js b/index.js
index 0a365d9..3884d65 100644
--- a/index.js
+++ b/index.js
@@ -13,9 +13,6 @@ app.set('view engine', 'ejs')
 app.use(express.urlencoded({ extended: false }));
 app.use(express.json());
 
-app.get('/', (req, res) => {
-    res.render('upload');
-});
 
 const isPathValid = (filename, filePath) => {
     if (!filename) {
@@ -26,6 +23,10 @@ const isPathValid = (filename, filePath) => {
         return false;
     }
 
+    if (!/[A-Za-z1-9.]+/g.test(filename)) {
+        return false;
+    }
+
     if (filePath.indexOf(config.storagePath) !== 0) {
         return false;
     }
@@ -33,6 +34,22 @@ const isPathValid = (filename, filePath) => {
     return true;
 };
 
+const isFilenameValid = (filename) => {
+    if (!filename) {
+        return false;
+    }
+
+    if (filename.indexOf('\0') !== -1 || filename.indexOf('%') !== -1 || filename.indexOf('..') !== -1 || filename.indexOf('&') !== -1) {
+        return false;
+    }
+
+    if (!/[A-Za-z1-9.]+/g.test(filename)) {
+        return false;
+    }
+
+    return true;
+};
+
 const getFileType = (filename) => {
     const extension = path.extname(filename).substring(1);
     let type = config.files.embed[extension];
@@ -44,6 +61,14 @@ const getFileType = (filename) => {
     return type;
 };
 
+
+
+app.get('/', (req, res) => {
+    res.render('upload');
+});
+
+
+
 app.get('/file/:filename', (req, res) => {
     const filename = req.params.filename;
     const filePath = path.join(config.storagePath, filename);
@@ -75,6 +100,7 @@ app.get('/file/:filename', (req, res) => {
 
 app.post('/api/upload', (req, res) => {
     const password = req.body.password;
+    const chosenFileName = req.body.filename;
 
     if (config.passwords.indexOf(password) === -1) {
         return res.status(401).render('uploadfailed', { message: 'The password you entered is not correct.' });
@@ -85,7 +111,16 @@ app.post('/api/upload', (req, res) => {
     }
 
     const file = req.files.file;
-    const filepath = `${config.storagePath}/${file.name}`;
+
+    if (!isFilenameValid(chosenFileName)) {
+        return res.status(400).render('uploadfailed', { message: 'Invalid name.' });
+    }
+
+    const filepath = path.join(config.storagePath, chosenFileName);
+
+    if (!isFilenameValid(file.name) || !isPathValid(chosenFileName, filepath)) {
+        return res.status(400).render('uploadfailed', { message: 'Invalid name.' });
+    }
 
     fs.stat(filepath, (err) => {
         if(err == null) {
@@ -93,7 +128,7 @@ app.post('/api/upload', (req, res) => {
         } else if(err.code === 'ENOENT') {
             file.mv(filepath, (err) => {
                 if (err) return res.status(500).render('uploadfailed', { message: 'Something went wrong while uploading the file.' });
-                res.render('uploaded', { file: { name: file.name } });
+                res.render('uploaded', { file: { name: chosenFileName } });
             });
         } else {
             return res.status(500).render('uploadfailed', { message: 'Something went wrong.' });;
diff --git a/views/upload.ejs b/views/upload.ejs
index 96091e1..081ae83 100644
--- a/views/upload.ejs
+++ b/views/upload.ejs
@@ -10,6 +10,7 @@
     <p>i think</p>
     <form action='/api/upload' method="POST" enctype="multipart/form-data">
         Password: <input type="password" name="password"> </br>
+        File name: <input type="text" name="filename"> </br>
         <input type="file" name="file"/> </br>
         <input type='submit' value='Upload!'/>
     </form>
diff --git a/views/uploadfailed.ejs b/views/uploadfailed.ejs
index a2bfec9..d855dcd 100644
--- a/views/uploadfailed.ejs
+++ b/views/uploadfailed.ejs
@@ -9,5 +9,7 @@
     <h1>upload failed</h1>
     <p>i think</p>
     <p><%= message %></p>
+    <br>
+    <a href="/">Go back</a>
 </body>
 </html>
\ No newline at end of file