diff --git a/server.py b/server.py
index aabf883..94dc5c9 100644
--- a/server.py
+++ b/server.py
@@ -44,11 +44,16 @@ def serve_frontend():
     return FileResponse("index.html")
 
 
+PREVIEW_ALLOWED_EXTENSIONS = {".jpg", ".jpeg", ".png"}
+
+
 @app.get("/preview")
 def preview(path: str):
+    ext = os.path.splitext(path)[1].lower()
+    if ext not in PREVIEW_ALLOWED_EXTENSIONS:
+        raise HTTPException(status_code=403, detail="Dateityp nicht erlaubt")
     if not os.path.isfile(path):
         raise HTTPException(status_code=404, detail="Datei nicht gefunden")
-    ext = os.path.splitext(path)[1].lower()
     media = "image/jpeg" if ext in (".jpg", ".jpeg") else "image/png"
     with open(path, "rb") as f:
         return Response(content=f.read(), media_type=media)