diff --git a/api/advent22_api/routers/days.py b/api/advent22_api/routers/days.py
index ef90fa6..1954903 100644
--- a/api/advent22_api/routers/days.py
+++ b/api/advent22_api/routers/days.py
@@ -1,12 +1,13 @@
-# from datetime import date
+from datetime import date
 from io import BytesIO
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException, status
 from fastapi.responses import StreamingResponse
 
 from ..config import Config, get_config
 from ._image import AdventImage
 from ._misc import get_image, shuffle
+from .user import user_is_admin
 
 router = APIRouter(prefix="/days", tags=["days"])
 
@@ -52,17 +53,36 @@ async def get_letter(
 #     )
 
 
+async def user_can_view(
+    index: int,
+) -> bool:
+    today = date.today()
+
+    if today.month in (1, 2, 3):
+        return True
+
+    elif today.month == 12:
+        return index < today.day
+
+    return False
+
+
 @router.get(
-    "/picture/{index}",
+    "/image/{index}",
     response_class=StreamingResponse,
 )
 async def get_image_for_day(
     image: AdventImage = Depends(get_image),
+    can_view: bool = Depends(user_can_view),
+    is_admin: bool = Depends(user_is_admin),
 ) -> StreamingResponse:
     """
     Bild für einen Tag erstellen
     """
 
+    if not (can_view or is_admin):
+        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Wie unhöflich!!!")
+
     # Bilddaten in Puffer laden
     img_buffer = BytesIO()
     image.img.save(img_buffer, format="JPEG", quality=85)
diff --git a/api/advent22_api/routers/user.py b/api/advent22_api/routers/user.py
index af697e0..0e4a466 100644
--- a/api/advent22_api/routers/user.py
+++ b/api/advent22_api/routers/user.py
@@ -1,3 +1,5 @@
+import secrets
+
 from fastapi import APIRouter, Depends, HTTPException, status
 from fastapi.security import HTTPBasic, HTTPBasicCredentials
 
@@ -7,18 +9,23 @@ router = APIRouter(prefix="/user", tags=["user"])
 security = HTTPBasic()
 
 
-async def is_admin(
+async def user_is_admin(
     credentials: HTTPBasicCredentials = Depends(security),
     config: Config = Depends(get_config),
 ) -> bool:
-    if config.admin.name == credentials.username:
-        if config.admin.password == credentials.password:
-            return True
-    return False
+    username_correct = secrets.compare_digest(
+        credentials.username, config.admin.name
+    )
+
+    password_correct = secrets.compare_digest(
+        credentials.password, config.admin.password
+    )
+
+    return username_correct and password_correct
 
 
 async def require_admin(
-    is_admin: bool = Depends(is_admin),
+    is_admin: bool = Depends(user_is_admin),
 ) -> None:
     if not is_admin:
         raise HTTPException(status.HTTP_401_UNAUTHORIZED)
@@ -27,5 +34,5 @@ async def require_admin(
 @router.get("/admin")
 def check_admin(
     _: None = Depends(require_admin),
-) -> None:
-    return None
+) -> bool:
+    return True