diff --git a/oss/node-express-spawn/app.js b/oss/node-express-spawn/app.js
index 7d70745..19547a6 100644
--- a/oss/node-express-spawn/app.js
+++ b/oss/node-express-spawn/app.js
@@ -6,6 +6,7 @@ const app = express();
 
 const {PORT = 3000} = process.env;
 
+const ALLOWED_COMMANDS = ['echo', 'ping', 'whoami', 'date'];
 app.get('/dir/*', function (req, res) {
   spawnPgm('ls', ['-lh', req.path.split('/dir')[1]], (code, output) => {
     res.set('Content-Type', 'text/plain');
@@ -15,6 +16,10 @@ app.get('/dir/*', function (req, res) {
 
 app.get('/cmd/*', function (req, res) {
   const pgm = req.path.split('/cmd/')[1];
+  if (!ALLOWED_COMMANDS.includes(pgm)) {
+    res.status(403).set('Content-Type', 'text/plain');
+    return res.send('Error: Command not allowed.');
+  }
   const args = req.query.args ? req.query.args.split(',') : [];
   //
   spawnPgm(pgm, args, (code, output) => {