diff --git a/app.js b/app.js
index 700f3137c..aff403972 100644
--- a/app.js
+++ b/app.js
@@ -136,7 +136,6 @@ app.use(i18n.init)
 // static files
 app.use('/', express.static(path.join(__dirname, '/public'), { maxAge: config.staticCacheTime, index: false }))
 app.use('/docs', express.static(path.resolve(__dirname, config.docsPath), { maxAge: config.staticCacheTime }))
-app.use('/uploads', express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime }))
 app.use('/default.md', express.static(path.resolve(__dirname, config.defaultNotePath), { maxAge: config.staticCacheTime }))
 app.use(require('./lib/metrics').router)
 
@@ -172,6 +171,12 @@ app.use(flash())
 app.use(passport.initialize())
 app.use(passport.session())
 
+// routes with sessions
+app.use('/uploads', (req, res, next) => {
+  if (req.isAuthenticated()) next()
+  else response.errorNotFound(req, res)
+}, express.static(path.resolve(__dirname, config.uploadsPath), { maxAge: config.staticCacheTime }))
+
 // check uri is valid before going further
 app.use(require('./lib/middleware/checkURIValid'))
 // redirect url without trailing slashes
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 70bdd6c35..06f8737a9 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -37,6 +37,7 @@ module.exports = {
   responseMaxLag: toIntegerConfig(process.env.CMD_RESPONSE_MAX_LAG),
   privacyPolicyURL: process.env.CMD_PRIVACY_POLICY_URL,
   imageUploadType: process.env.CMD_IMAGE_UPLOAD_TYPE,
+  uploadsPath: process.env.CMD_UPLOADS_PATH,
   imgur: {
     clientID: process.env.CMD_IMGUR_CLIENTID
   },