diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/DynamicPublicAccessAuthorizationManager.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/DynamicPublicAccessAuthorizationManager.kt
index 689f87d..d2e0916 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/security/DynamicPublicAccessAuthorizationManager.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/DynamicPublicAccessAuthorizationManager.kt
@@ -17,7 +17,9 @@ class DynamicPublicAccessAuthorizationManager(
         authentication: Supplier<Authentication?>?,
         `object`: RequestAuthorizationContext?
     ): AuthorizationDecision? {
-        val allow = config.get(ConfigProperties.Libraries.AllowPublicAccess) == true
+        val auth = authentication?.get()
+        val allow = (auth?.isAuthenticated == true && auth.principal != "anonymousUser") ||
+                config.get(ConfigProperties.Libraries.AllowPublicAccess) == true
         return AuthorizationDecision(allow)
     }
 }
\ No newline at end of file
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
index 99f59bd..1319366 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
@@ -44,13 +44,15 @@ class SecurityConfig(
                 .requestMatchers("/reset-password").permitAll()
                 .requestMatchers("/accept-invitation").permitAll()
                 .requestMatchers("/public/**").permitAll()
-                .requestMatchers("/images/**").permitAll()
 
             // Dynamic public access for certain endpoints
-            auth.requestMatchers("/game/**").access(DynamicPublicAccessAuthorizationManager(config))
+            auth.requestMatchers("/").access(DynamicPublicAccessAuthorizationManager(config))
+                .requestMatchers("/game/**").access(DynamicPublicAccessAuthorizationManager(config))
                 .requestMatchers("/library/**").access(DynamicPublicAccessAuthorizationManager(config))
                 .requestMatchers("/search/**").access(DynamicPublicAccessAuthorizationManager(config))
                 .requestMatchers("/download/**").access(DynamicPublicAccessAuthorizationManager(config))
+                .requestMatchers("/images/**").access(DynamicPublicAccessAuthorizationManager(config))
+                .requestMatchers("/images/**").access(DynamicPublicAccessAuthorizationManager(config))
         }
 
         http.sessionManagement { sessionManagement ->