diff --git a/Jellyfin.Plugin.MediaBarEnhanced/Api/OverlayImageController.cs b/Jellyfin.Plugin.MediaBarEnhanced/Api/OverlayImageController.cs
index 9f1e2b4..2cc5084 100644
--- a/Jellyfin.Plugin.MediaBarEnhanced/Api/OverlayImageController.cs
+++ b/Jellyfin.Plugin.MediaBarEnhanced/Api/OverlayImageController.cs
@@ -4,6 +4,7 @@ using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using MediaBrowser.Common.Configuration;
+using Microsoft.AspNetCore.Authorization;
 
 namespace Jellyfin.Plugin.MediaBarEnhanced.Api
 {
@@ -26,7 +27,7 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
         /// <summary>
         /// Uploads a new custom overlay image.
         /// </summary>
-        // [Microsoft.AspNetCore.Authorization.Authorize]
+        [Authorize(Policy = "RequiresElevation")]
         [HttpPost("OverlayImage")]
         [Consumes("multipart/form-data")]
         public async Task<IActionResult> UploadImage([FromForm] IFormFile file, [FromQuery] string? filename = null)
@@ -40,7 +41,7 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
             string extension = Path.GetExtension(file.FileName);
             if (string.IsNullOrWhiteSpace(extension)) extension = ".jpg";
             
-            // Delete any existing file with this prefix before saving the new one (as extensions might differ)
+            // Delete any existing file with this prefix before saving the new one
             string prefix = string.IsNullOrWhiteSpace(filename) ? "custom_overlay_image_global" : $"custom_overlay_image_{filename}";
 
             try
@@ -60,9 +61,6 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
                 string targetFileName = $"{prefix}{extension}";
                 string targetPath = Path.Combine(_imageDirectory, targetFileName);
 
-                // Delete is not strictly necessary and can cause locking issues if someone is currently reading it.
-                // FileMode.Create will truncate the file if it exists, effectively overwriting it.
-                // We use FileShare.None to ensure we have exclusive write access, but handle potential IOExceptions gracefully.
                 using (var stream = new FileStream(targetPath, FileMode.Create, FileAccess.Write, FileShare.None))
                 {
                     await file.CopyToAsync(stream).ConfigureAwait(false);
@@ -82,7 +80,6 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
         /// <summary>
         /// Retrieves the custom overlay image.
         /// </summary>
-        // [Microsoft.AspNetCore.Authorization.Authorize]
         [HttpGet("OverlayImage")]
         public IActionResult GetImage([FromQuery] string? filename = null)
         {
@@ -98,7 +95,6 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
             string targetPath = existingFiles[0];
 
             // Read the file and return with appropriate MIME type
-            // We use FileShare.ReadWrite | FileShare.Delete so that if someone is currently overwriting the file (uploading), we don't block them.
             var stream = new FileStream(targetPath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
             
             string mimeType = "application/octet-stream";
@@ -115,7 +111,7 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
         /// <summary>
         /// Deletes a custom overlay image.
         /// </summary>
-        // [Microsoft.AspNetCore.Authorization.Authorize]
+        [Authorize(Policy = "RequiresElevation")]
         [HttpDelete("OverlayImage")]
         public IActionResult DeleteImage([FromQuery] string? filename = null)
         {
@@ -144,7 +140,6 @@ namespace Jellyfin.Plugin.MediaBarEnhanced.Api
         /// <summary>
         /// Renames a custom overlay image (used when a seasonal section is renamed).
         /// </summary>
-        // [Microsoft.AspNetCore.Authorization.Authorize]
         [HttpPut("OverlayImage/Rename")]
         public IActionResult RenameImage([FromQuery] string oldName, [FromQuery] string newName)
         {