diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..df020f9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Updates are provided according to table below.
+
+| Version | Security Updates   |  Feature Updates   |
+| ------- | ------------------ | ------------------ |
+| 3.x.x   | :white_check_mark: | :white_check_mark: |
+| 2.x.x   | :x:                | :x:                |
+| 1.x.x   | :x:                | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover any security related issues, please email cristian.tabacitu@backpackforlaravel.com instead of using the issue tracker.
diff --git a/src/BackpackElfinderController.php b/src/BackpackElfinderController.php
index 35dc848..cbac9ad 100644
--- a/src/BackpackElfinderController.php
+++ b/src/BackpackElfinderController.php
@@ -11,6 +11,11 @@ public function showPopup($input_id)
     {
         $mimes = request('mimes');
 
+        if (! isset($mimes)) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
         try {
             $mimes = Crypt::decrypt(urldecode(request('mimes')));
         } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
@@ -18,7 +23,11 @@ public function showPopup($input_id)
             abort(403, 'Unauthorized action.');
         }
 
-        request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        if (! empty($mimes)) {
+            request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        } else {
+            request()->merge(['mimes' => '']);
+        }
 
         return $this->app['view']
             ->make($this->package.'::standalonepopup')