diff --git a/admin/app/controllers/rag_controller.ts b/admin/app/controllers/rag_controller.ts
index ce94876..d695e4e 100644
--- a/admin/app/controllers/rag_controller.ts
+++ b/admin/app/controllers/rag_controller.ts
@@ -12,11 +12,15 @@ export default class RagController {
   constructor(private ragService: RagService) { }
 
   public async upload({ request, response }: HttpContext) {
-    const uploadedFile = request.file('file')
+    const uploadedFile = request.file('file', { size: '50mb' })
     if (!uploadedFile) {
       return response.status(400).json({ error: 'No file uploaded' })
     }
 
+    if (!uploadedFile.isValid) {
+      return response.status(422).json({ errors: uploadedFile.errors })
+    }
+
     const randomSuffix = randomBytes(6).toString('hex')
     const sanitizedName = sanitizeFilename(uploadedFile.clientName)
 
diff --git a/admin/app/controllers/settings_controller.ts b/admin/app/controllers/settings_controller.ts
index e90370d..40e959a 100644
--- a/admin/app/controllers/settings_controller.ts
+++ b/admin/app/controllers/settings_controller.ts
@@ -6,7 +6,7 @@ import { SystemService } from '#services/system_service';
 import { updateSettingSchema } from '#validators/settings';
 import { inject } from '@adonisjs/core';
 import type { HttpContext } from '@adonisjs/core/http'
-import type { KVStoreKey } from '../../types/kv_store.js';
+import { KV_STORE_SCHEMA, type KVStoreKey } from '../../types/kv_store.js';
 
 @inject()
 export default class SettingsController {
@@ -104,6 +104,10 @@ export default class SettingsController {
 
     async getSetting({ request, response }: HttpContext) {
         const key = request.qs().key;
+        const validKeys = Object.keys(KV_STORE_SCHEMA);
+        if (!key || !validKeys.includes(key)) {
+            return response.status(400).send({ error: `Invalid setting key. Valid keys: ${validKeys.join(', ')}` });
+        }
         const value = await KVStore.getValue(key as KVStoreKey);
         return response.status(200).send({ key, value });
     }
diff --git a/admin/app/validators/rag.ts b/admin/app/validators/rag.ts
index a9124b4..47c5474 100644
--- a/admin/app/validators/rag.ts
+++ b/admin/app/validators/rag.ts
@@ -2,7 +2,7 @@ import vine from '@vinejs/vine'
 
 export const getJobStatusSchema = vine.compile(
   vine.object({
-    filePath: vine.string(),
+    filePath: vine.string().maxLength(500),
   })
 )
 
diff --git a/admin/app/validators/system.ts b/admin/app/validators/system.ts
index 41eb6a6..911bb81 100644
--- a/admin/app/validators/system.ts
+++ b/admin/app/validators/system.ts
@@ -2,13 +2,13 @@ import vine from '@vinejs/vine'
 
 export const installServiceValidator = vine.compile(
   vine.object({
-    service_name: vine.string().trim(),
+    service_name: vine.string().trim().maxLength(100).regex(/^[a-zA-Z0-9_-]+$/),
   })
 )
 
 export const affectServiceValidator = vine.compile(
   vine.object({
-    service_name: vine.string().trim(),
+    service_name: vine.string().trim().maxLength(100).regex(/^[a-zA-Z0-9_-]+$/),
     action: vine.enum(['start', 'stop', 'restart']),
   })
 )
@@ -27,7 +27,7 @@ export const checkLatestVersionValidator = vine.compile(
 
 export const updateServiceValidator = vine.compile(
   vine.object({
-    service_name: vine.string().trim(),
-    target_version: vine.string().trim(),
+    service_name: vine.string().trim().maxLength(100).regex(/^[a-zA-Z0-9_-]+$/),
+    target_version: vine.string().trim().maxLength(50).regex(/^[a-zA-Z0-9._-]+$/),
   })
 )