diff --git a/src/main/java/eu/hbp/mip/controllers/FilesAPI.java b/src/main/java/eu/hbp/mip/controllers/FilesAPI.java
new file mode 100644
index 0000000000000000000000000000000000000000..88e179bd2b4eadad5b2e3923194a613a615b29d5
--- /dev/null
+++ b/src/main/java/eu/hbp/mip/controllers/FilesAPI.java
@@ -0,0 +1,50 @@
+package eu.hbp.mip.controllers;
+
+import eu.hbp.mip.configuration.SecurityConfiguration;
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import io.swagger.annotations.ApiParam;
+import org.apache.log4j.Logger;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.time.LocalDateTime;
+
+/**
+ * Created by mirco on 08.05.17.
+ */
+
+@RestController
+@RequestMapping(value = "/protected")
+@Api(value = "/protected", description = "the protected files API")
+public class FilesAPI {
+
+    private static final Logger LOGGER = Logger.getLogger(FilesAPI.class);
+
+    @Autowired
+    private SecurityConfiguration securityConfiguration;
+
+    @ApiOperation(value = "Get protected files")
+    @RequestMapping(value = "/{filename}" , method = RequestMethod.GET)
+    public ResponseEntity<Void> getProtectedFile(
+            @ApiParam(value = "filename", required = true) @PathVariable("filename") String filename
+    ) {
+        LOGGER.info("Get protected file");
+
+        String filepath = "/protected/" + filename;
+        String user = securityConfiguration.getUser().getUsername();
+        String time = LocalDateTime.now().toString();
+        LOGGER.info("User " + user + " downloaded " + filepath + " at "+ time);
+
+        HttpHeaders headers = new HttpHeaders();
+        headers.add("X-Accel-Redirect", filepath);
+
+        return new ResponseEntity<>(headers, HttpStatus.OK);
+    }
+}