diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/IconFiles.kt b/src/main/kotlin/com/android/trisolarisserver/controller/IconFiles.kt
index 503c610..0d2134a 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/IconFiles.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/IconFiles.kt
@@ -1,7 +1,12 @@
 package com.android.trisolarisserver.controller
 
 import org.springframework.beans.factory.annotation.Value
+import org.springframework.core.io.FileSystemResource
+import org.springframework.http.HttpHeaders
+import org.springframework.http.MediaType
+import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import java.nio.file.Files
@@ -29,4 +34,21 @@ class IconFiles(
                 .toList()
         }
     }
+
+    @GetMapping("/png/{filename}")
+    fun getPng(@PathVariable filename: String): ResponseEntity<FileSystemResource> {
+        if (filename.contains("..") || filename.contains("/") || filename.contains("\\")) {
+            return ResponseEntity.badRequest().build()
+        }
+        val file = Paths.get(pngRoot, filename)
+        if (!Files.exists(file) || !Files.isRegularFile(file)) {
+            return ResponseEntity.notFound().build()
+        }
+        val resource = FileSystemResource(file)
+        return ResponseEntity.ok()
+            .contentType(MediaType.IMAGE_PNG)
+            .header(HttpHeaders.CONTENT_DISPOSITION, "inline; filename=\"${file.fileName}\"")
+            .contentLength(resource.contentLength())
+            .body(resource)
+    }
 }
diff --git a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
index 36c93eb..6f99398 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -30,6 +30,7 @@ class FirebaseAuthFilter(
             || path.matches(Regex("^/properties/[^/]+/room-types$"))
             || (path == "/image-tags" && request.method.equals("GET", true))
             || path == "/icons/png"
+            || path.matches(Regex("^/icons/png/[^/]+$"))
     }
 
     override fun doFilterInternal(
diff --git a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
index 91c958a..c350c15 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
@@ -31,6 +31,7 @@ class SecurityConfig(
                 it.requestMatchers("/properties/*/room-types").permitAll()
                 it.requestMatchers(org.springframework.http.HttpMethod.GET, "/image-tags").permitAll()
                 it.requestMatchers("/icons/png").permitAll()
+                it.requestMatchers("/icons/png/*").permitAll()
                 it.anyRequest().authenticated()
             }
             .exceptionHandling {