diff --git a/app.py b/app.py
index b3ce5a8..911cb6c 100644
--- a/app.py
+++ b/app.py
@@ -67,10 +67,19 @@ def create_conf():
 
 @app.route('/api/createconf', methods=['POST'])
 def create_conf_post():
+    auth_token = request.cookies.get('auth_token')
+    if auth_token != "" or auth_token is not None:
+        if db.get_user_bytoken(auth_token) is None:
+            return redirect("/login")
+        
     config_name = request.form['config_name']
     token_name = request.form['token_name']
     key_length = request.form['key_length']
     ip = request.form['ip']
+    if db.get_conf_id_name(config_name+".squashfs") is not None:
+        return jsonify(message="400")
+    if db.get_conf_id(token_name) is not None:
+        return jsonify(message="400") 
     folder = utils.generate_random_string(5)
     try:
         os.mkdir(os.path.join(os.getcwd(), 'configs', folder))
@@ -117,10 +126,30 @@ def login_api():
     response.set_cookie('auth_token', auth_token)
     return response
 
+@app.route('/delete/<int:image_id>', methods=['POST'])
+def delete(image_id):
+    auth_token = request.cookies.get('auth_token')
+    if auth_token != "" or auth_token is not None:
+        if db.get_user_bytoken(auth_token) is None:
+            return redirect("/login")
+        
+    filename = db.get_conf_image_id(image_id)
+    squashfs = os.path.join(app.config['UPLOAD_FOLDER'], filename)
+    pubkey = os.path.join(app.config['UPLOAD_FOLDER'], filename.split(".")[0])
+    if os.path.exists(squashfs):
+        os.remove(squashfs)
+    if os.path.exists(pubkey):
+        os.remove(pubkey)
+    db.del_image(image_id)
+    
+    return redirect(url_for('list_images'))
 
 @app.route("/api/addimage", methods=['POST'])
 def add_image():
-    db.Connect()
+    auth_token = request.cookies.get('auth_token')
+    if auth_token != "" or auth_token is not None:
+        if db.get_user_bytoken(auth_token) is None:
+            return redirect("/login")
     name = None
     try:
         file = request.files['file']
diff --git a/db.py b/db.py
index f5b9ef1..3d732e8 100644
--- a/db.py
+++ b/db.py
@@ -89,6 +89,9 @@ def get_conf_image(token):
     return get_one("SELECT image_name FROM image WHERE token = %s", token)
 
 
+def get_conf_image_id(id):
+    return get_one("SELECT image_name FROM image WHERE id = %s", id)
+
 def get_conf_id(token):
     return get_one("SELECT id FROM image WHERE token = %s", token)
 
@@ -188,6 +191,16 @@ def get_images():
             return images_all
         except:
             return None
+        
+def del_image(image_id):
+    connect()
+    with get_cur() as cur:
+        cur.execute("DELETE FROM image WHERE id = %s", (image_id,))
+        try:
+            conn.commit()
+            return True
+        except:
+            return None
 
 def get_image_allocation_all_id():
     connect()
@@ -201,7 +214,6 @@ def get_image_allocation_all_id():
             return None
 
 
-
 def get_image_allocation_all():
     connect()
     with get_cur() as cur:
diff --git a/templates/images.html b/templates/images.html
index ebec4ab..6ffa24d 100644
--- a/templates/images.html
+++ b/templates/images.html
@@ -21,7 +21,7 @@
                     <td>{{ image.token }}</td>
                     <td>{{ image.name }}</td>
                     <td>
-                        <form method="post" action="/api/delete_image/{{ image.id }}">
+                        <form action="{{ url_for('delete', image_id=image.id) }}" method="post">
                             <button type="submit" class="btn btn-danger">Usuń</button>
                         </form>
                     </td>