diff --git a/src/lib.rs b/src/lib.rs
index 6274d0c..e27e25a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -992,6 +992,18 @@ impl<C: UpstreamClient + 'static, S: Sandboxing + Send + Sync + 'static> App<C,
     where
         <<C as UpstreamClient>::Response as HTTPResponse>::BodyStream: Unpin,
     {
+        if let Some(ext) = filename.split('.').last() {
+            if [
+                "exe", "com", "dll", "sys", "bat", "cmd", "sh", "bash", "zsh", "fish", "ps1",
+                "psm1", "elf", "so", "dylib", "dmg", "scr", "url", "app", "jar", "apk", "msi",
+                "deb", "rpm", "rpm", "pkg",
+            ]
+            .iter()
+            .any(|x| x.eq_ignore_ascii_case(ext))
+            {
+                return Err(ErrorResponse::unsafe_media());
+            }
+        }
         Self::proxy_impl(method, Some(&filename), State(state), Query(query), info).await
     }
 }