diff --git a/src/app.controller.ts b/src/app.controller.ts
index 3b70c990..ccf1292d 100644
--- a/src/app.controller.ts
+++ b/src/app.controller.ts
@@ -1,4 +1,5 @@
 import {
+  BadRequestException,
   Controller,
   Get,
   Param,
@@ -10,6 +11,7 @@ import { AppService } from "./app.service";
 import { JwtAuthGuard } from "./common/guards/keycloak.guard";
 import { ApiBasicAuth, ApiHeader } from "@nestjs/swagger";
 import { RbacAuthGuard } from "./common/guards/rbac.guard";
+import * as path from "path";
 
 @Controller()
 export class AppController {
@@ -27,6 +29,10 @@ export class AppController {
 
   @Get("files/:fileName")
   seeUploadedFile(@Param("fileName") fileName: string, @Res() res) {
-    return res.sendFile(fileName, { root: "./uploads" });
+    const sanitizedFileName = path.basename(fileName);
+    if (sanitizedFileName !== fileName) {
+      throw new BadRequestException("Invalid file name");
+    }
+    return res.sendFile(sanitizedFileName, { root: "./uploads" });
   }
 }
diff --git a/src/main.ts b/src/main.ts
index 88a6b1d5..d931a1ba 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -47,13 +47,13 @@ async function bootstrap() {
     exclude: [{ path: "health", method: RequestMethod.GET }],
   });
 
-  // app.useGlobalPipes(
-  //   new ValidationPipe({
-  //     whitelist: true,
-  //     forbidNonWhitelisted: true,
-  //     transform: true,
-  //   }),
-  // );
+  app.useGlobalPipes(
+    new ValidationPipe({
+      whitelist: true,
+      forbidNonWhitelisted: true,
+      transform: true,
+    }),
+  );
   
   const config = new DocumentBuilder()
     .setTitle("Shiksha Platform")