diff --git a/config/nova-tinymce-editor.php b/config/nova-tinymce-editor.php
index ad71e06..7ef62cc 100644
--- a/config/nova-tinymce-editor.php
+++ b/config/nova-tinymce-editor.php
@@ -55,7 +55,7 @@
      */
     'extra' => [
         'upload_images' => [
-            'enabled' => false, // Set true for enable images local upload
+            'enable_api_routes' => env('TINYMCE_ENABLE_UPLOAD_API_ROUTES', true),
             'folder' => 'images',
             'maxSize' => 2048, // KB,
             'disk' => 'public',
diff --git a/routes/api.php b/routes/api.php
index c6c12f9..b3bfca7 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -1,11 +1,10 @@
 <?php
 
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Murdercode\TinymceEditor\Http\Controllers\TinyImageController;
-use Murdercode\TinymceEditor\Http\Middleware\TinymceMiddleware;
 
 // Without CSRF protection
-// Route::post('/upload', TinyImageController::class)->name('tinymce.upload')
-//     ->withoutMiddleware([VerifyCsrfToken::class])
-//     ->middleware(TinymceMiddleware::class);
+if (config('nova-tinymce-editor.extra.upload_images.enable_api_routes', true)) {
+    Route::post('/upload', TinyImageController::class)->name('tinymce.upload')
+        ->middleware('auth');
+}
diff --git a/src/Http/Controllers/TinyImageController.php b/src/Http/Controllers/TinyImageController.php
index ea51bad..4669a77 100644
--- a/src/Http/Controllers/TinyImageController.php
+++ b/src/Http/Controllers/TinyImageController.php
@@ -14,13 +14,47 @@ public function __invoke(Request $request): JsonResponse
             'file' => [
                 'required',
                 'image',
-                'mimes:jpeg,png,jpg,gif',
+                'mimes:jpeg,png,jpg,webp',
                 'max:'.config('nova-tinymce-editor.extra.upload_images.maxSize', 2048),
             ],
         ]);
+
+        $uploadedFile = $request->file('file');
+
+        // Check if the uploaded file is a valid image
+        $imageInfo = @getimagesize($uploadedFile->getRealPath());
+        if ($imageInfo === false) {
+            return response()->json(['error' => 'The file is not a valid image.'], 422);
+        }
+
+        // Check MIME type
+        $allowedMimeTypes = ['image/jpeg', 'image/png', 'image/jpg', 'image/webp'];
+        if (! in_array($imageInfo['mime'], $allowedMimeTypes)) {
+            return response()->json(['error' => 'Unsupported image type.'], 422);
+        }
+
+        // Check for potentially dangerous content
+        $fileContent = file_get_contents($uploadedFile->getRealPath());
+        $dangerousPatterns = [
+            '/<\?php/i',
+            '/<\?=/i',
+            '/<script/i',
+            '/eval\(/i',
+            '/base64_decode/i',
+            '/system\(/i',
+            '/exec\(/i',
+            '/shell_exec/i',
+        ];
+
+        foreach ($dangerousPatterns as $pattern) {
+            if (preg_match($pattern, $fileContent)) {
+                return response()->json(['error' => 'The file contains potentially dangerous code.'], 422);
+            }
+        }
+
         $disk = config('nova-tinymce-editor.extra.upload_images.disk');
         try {
-            $file = $request->file('file')
+            $file = $uploadedFile
                 ->storePublicly(
                     config('nova-tinymce-editor.extra.upload_images.folder'),
                     compact('disk')
@@ -28,7 +62,7 @@ public function __invoke(Request $request): JsonResponse
         } catch (\Throwable $e) {
             report($e);
 
-            return response()->json(['error' => 'Failed to move uploaded file.']);
+            return response()->json(['error' => 'Failed to move uploaded file.'], 422);
         }
 
         return response()->json(['location' => Storage::disk($disk)->url($file)]);
diff --git a/src/Http/Middleware/TinymceMiddleware.php b/src/Http/Middleware/TinymceMiddleware.php
deleted file mode 100644
index a515c64..0000000
--- a/src/Http/Middleware/TinymceMiddleware.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-namespace Murdercode\TinymceEditor\Http\Middleware;
-
-use Closure;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-
-class TinymceMiddleware
-{
-    public function handle($request, Closure $next)
-    {
-
-        /**
-         * Check if the upload is globally enabled
-         */
-        $isActive = config('nova-tinymce-editor.extra.upload_images.enabled') ?? false;
-        if (! $isActive) {
-            throw new NotFoundHttpException;
-        }
-
-        return $next($request);
-    }
-}