diff --git a/aio/nginx.conf b/aio/nginx.conf
index fe413193..fdf1a625 100644
--- a/aio/nginx.conf
+++ b/aio/nginx.conf
@@ -129,6 +129,20 @@ http {
             proxy_redirect http://127.0.0.1/ $scheme://$http_host/;
         }
 
+        # Serve protected media files with X-Accel-Redirect
+        location /protectedMedia/ {
+            internal; # Only internal requests are allowed
+            alias /code/backend/server/media/;  # This should match Django MEDIA_ROOT
+            try_files $uri =404; # Return a 404 if the file doesn't exist
+            
+            # Security headers for all protected files
+            add_header Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none'; base-uri 'none'" always;
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        }
+
         # Everything else to frontend (SvelteKit)
         location / {
             proxy_pass http://frontend_upstream;