diff --git a/rowers/dataprep.py b/rowers/dataprep.py
index b2ae436f..3843d4ec 100644
--- a/rowers/dataprep.py
+++ b/rowers/dataprep.py
@@ -3,7 +3,6 @@ from __future__ import division
 from __future__ import print_function
 from __future__ import unicode_literals
 
-
 # All the data preparation, data cleaning and data mangling should
 # be defined here
 from __future__ import unicode_literals, absolute_import
@@ -1568,7 +1567,6 @@ def new_workout_from_file(r, f2,
     if workoutsource is None:
         workoutsource = fileformat
 
-    print(f2,'final name')
     id, message = save_workout_database(
         f2, r,
         notes=notes,
diff --git a/rowers/rows.py b/rowers/rows.py
index 6393fa02..fa34cf00 100644
--- a/rowers/rows.py
+++ b/rowers/rows.py
@@ -7,6 +7,11 @@ import time
 import gzip
 import shutil
 import hashlib
+
+
+import uuid
+
+
 from django.core.exceptions import ValidationError
 
 def format_pace_tick(x,pos=None):
@@ -26,7 +31,7 @@ def format_time_tick(x,pos=None):
 def format_pace(x,pos=None):
     if isinf(x) or isnan(x):
         x=0
-        
+
     min=int(x/60)
     sec=(x-min*60.)
 
@@ -73,14 +78,14 @@ def must_be_csv(value):
     valid_extensions = ['.csv','.CSV']
     if not ext in valid_extensions:
         raise ValidationError(u'File not supported!')
-    
+
 def validate_kml(value):
     import os
     ext = os.path.splitext(value.name)[1]
     valid_extensions = ['.kml','.KML']
     if not ext in valid_extensions:
         raise ValidationError(u'File not supported!')
-    
+
 
 def handle_uploaded_image(i):
         from io import StringIO, BytesIO
@@ -92,8 +97,8 @@ def handle_uploaded_image(i):
                 image_str += chunk
 
         imagefile = BytesIO(image_str)
-        
-                
+
+
         image = Image.open(i)
 
         try:
@@ -105,7 +110,7 @@ def handle_uploaded_image(i):
         except (AttributeError, KeyError, IndexError):
                 # cases: image don't have getexif
                 exif = {'orientation':0}
-        
+
         if image.mode not in ("L", "RGB"):
                 image = image.convert("RGB")
 
@@ -128,18 +133,17 @@ def handle_uploaded_image(i):
 
         filename2 = os.path.join('static/plots/',filename)
         image.save(filename2,'JPEG')
-        
+
         return filename,filename2
-                
+
 
 def handle_uploaded_file(f):
     fname = f.name
-    timestr = time.strftime("%Y%m%d-%H%M%S")
+    timestr = uuid.uuid4().hex[:10]+'-'+time.strftime("%Y%m%d-%H%M%S")
     fname = timestr+'-'+fname
     fname2 = 'media/'+fname
     with open(fname2,'wb+') as destination:
         for chunk in f.chunks():
             destination.write(chunk)
-            
-    return fname,fname2
 
+    return fname,fname2
diff --git a/rowers/tests/test_emails.py b/rowers/tests/test_emails.py
index 06ede1d6..11149be0 100644
--- a/rowers/tests/test_emails.py
+++ b/rowers/tests/test_emails.py
@@ -63,7 +63,7 @@ workout run
             'upload_to_C2': False,
             'plottype': 'timeplot',
             'file': 'media/mailbox_attachments/colin3.csv',
-            'secret': 'potjandorie',
+            'secret': settings.UPLOAD_SERVICE_SECRET,
             'user': 1,
         }
 
diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py
index fd2cc78c..d0078ad5 100644
--- a/rowers/views/workoutviews.py
+++ b/rowers/views/workoutviews.py
@@ -4391,15 +4391,20 @@ def workout_toggle_ranking(request,id=0):
 @csrf_exempt
 def workout_upload_api(request):
     if request.method != 'POST':
-        raise PermissionDenied("This view cannot be accessed")
+        message = {'status':'false','message':'this view cannot be accessed through GET'}
+        return JSONResponse(status=403,data=message)
 
     # only allow local host
-    print(request.get_host(),'get_host')
+    hostt = request.get_host().split(':')
+    if hostt[0] not in ['localhost','127.0.0.1']:
+        message = {'status':'false','message':'permission denied'}
+        return JSONResponse(status=403,data=message)
 
     # check credentials here
     secret = request.POST['secret']
-    if secret != 'potjandorie':
-        raise PermissionDenied("Invalid credentials")
+    if secret != settings.UPLOAD_SERVICE_SECRET:
+        message = {'status':'false','message':'invalid credentials'}
+        return JSONResponse(status=403,data=message)
 
     form = DocumentsForm(request.POST)
     optionsform = TeamUploadOptionsForm(request.POST)
@@ -4408,7 +4413,6 @@ def workout_upload_api(request):
     try:
         fstr = request.POST['file']
         f1 = uuid.uuid4().hex[:10]+'-'+time.strftime("%Y%m%d-%H%M%S")+os.path.splitext(fstr)[1]
-        print(f1)
         f2 = 'media/'+f1
         copyfile(fstr,f2)
     except KeyError:
diff --git a/rowsandall_app/settings.py b/rowsandall_app/settings.py
index c453669c..372c6f69 100644
--- a/rowsandall_app/settings.py
+++ b/rowsandall_app/settings.py
@@ -247,6 +247,10 @@ LOGOUT_REDIRECT_URL = '/'
 # Update Cache with task progress password
 
 PROGRESS_CACHE_SECRET = CFG['progress_cache_secret']
+try:
+	UPLOAD_SERVICE_SECRET = CFG['upload_service_secret']
+except KeyError:
+	UPLOAD_SERVICE_SECRET = "FoYezZWLSyfAVimumpHEeYsJjsNCerxV"
 
 # Concept 2
 C2_CLIENT_ID = CFG['c2_client_id']