diff --git a/backend/internal/minioClient/buckets.go b/backend/internal/minioClient/buckets.go
index 4beed7d..eccc890 100644
--- a/backend/internal/minioClient/buckets.go
+++ b/backend/internal/minioClient/buckets.go
@@ -19,6 +19,7 @@ package minioclient
 
 import (
 	"context"
+	"fmt"
 	"slices"
 
 	"github.com/minio/minio-go/v7"
@@ -35,6 +36,15 @@ func setupBuckets(client *minio.Client) {
 		"uploads": "uploads",
 	}
 
+	hiddenBuckets := []string{
+		"uploads",
+	}
+
+	// NOTICE: it has a formatting value in there for the bucket name!!
+	// I'm kind of ashamed for doing this, but the library did not have
+	// an API for configuring a policy, so we're left with JSON I guess
+	readOnlyPolicyTemplate := `{"Version": "2012-10-17","Statement": [{"Action": ["s3:GetObject"],"Effect": "Allow","Principal": {"AWS": ["*"]},"Resource": ["arn:aws:s3:::%s/*"],"Sid": ""}]}`
+
 	ctx := context.Background()
 	var newBuckets []string
 	for key, value := range Buckets {
@@ -47,6 +57,10 @@ func setupBuckets(client *minio.Client) {
 				panic("Failure to create bucket '" + value + "': " + err.Error())
 			}
 			newBuckets = append(newBuckets, key)
+
+			if !slices.Contains(hiddenBuckets, key) {
+				client.SetBucketPolicy(ctx, value, fmt.Sprintf(readOnlyPolicyTemplate, value))
+			}
 		}
 	}
 
@@ -55,7 +69,7 @@ func setupBuckets(client *minio.Client) {
 		uploadsCfg.Rules = []lifecycle.Rule{
 			{
 				ID:		"expire-uploads",
-				Status: "enabled",
+				Status: "Enabled",
 				Expiration: lifecycle.Expiration{Days: 1},
 			},
 		}
diff --git a/backend/internal/minioClient/ginEndpoint.go b/backend/internal/minioClient/ginEndpoint.go
new file mode 100644
index 0000000..32e0766
--- /dev/null
+++ b/backend/internal/minioClient/ginEndpoint.go
@@ -0,0 +1,68 @@
+// Copyright (c) 2025 Nikolai Papin
+//
+// This file is part of Easywish
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+// the GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package minioclient
+
+import (
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+	"maps"
+	"github.com/gin-gonic/gin"
+)
+
+func setupGinEndpoint(router *gin.Engine) {
+	s3group := router.Group("/s3")
+	s3group.Any("/*path", func(c *gin.Context) {
+		path := c.Param("path")
+		minioURL := &url.URL{
+			Scheme:   "http",
+			Host:     "minio:9000", // XXX: hardcoded minio host
+			Path:     path,
+			RawQuery: c.Request.URL.RawQuery,
+		}
+		req, err := http.NewRequest(c.Request.Method, minioURL.String(), c.Request.Body); if err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "Failed to create request"})
+			return
+		}
+		req = req.WithContext(c.Request.Context())
+		maps.Copy(req.Header, c.Request.Header)
+		delete(req.Header, "Host")
+		client := &http.Client{
+			Timeout: 30 * time.Second, // XXX: magic number
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}
+		resp, err := client.Do(req); if err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "Failed to forward request"})
+			return
+		}
+		defer resp.Body.Close()
+		for key, values := range resp.Header {
+			for _, value := range values {
+				c.Writer.Header().Add(key, value)
+			}
+		}
+		c.Status(resp.StatusCode)
+		_, err = io.Copy(c.Writer, resp.Body); if err != nil {
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "Failed to copy response body"})
+			return
+		}
+	})
+}
diff --git a/backend/internal/minioClient/minioClient.go b/backend/internal/minioClient/minioClient.go
index 90b36d7..779fdf3 100644
--- a/backend/internal/minioClient/minioClient.go
+++ b/backend/internal/minioClient/minioClient.go
@@ -22,11 +22,12 @@ import (
 	"net/url"
 	"time"
 
+	"github.com/gin-gonic/gin"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 )
 
-func NewMinioClient() *minio.Client {
+func NewMinioClient(router *gin.Engine) *minio.Client {
 	cfg := config.GetConfig()
 
 	if cfg.MinioUrl == "" {
@@ -54,6 +55,7 @@ func NewMinioClient() *minio.Client {
 	}
 
 	setupBuckets(client)
+	setupGinEndpoint(router)
 
 	return client
 }