diff --git a/expressjs/src/server.js b/expressjs/src/server.js
index d56cb6d..90e9fd1 100644
--- a/expressjs/src/server.js
+++ b/expressjs/src/server.js
@@ -146,11 +146,20 @@ function toBase32(buffer) {
   return output;
 }
 
-function createToken(timestampMs) {
-  const tsBuffer = Buffer.alloc(8);
-  tsBuffer.writeBigUInt64BE(BigInt(timestampMs));
-  const randomPart = crypto.randomBytes(12);
-  return toBase32(Buffer.concat([tsBuffer, randomPart]));
+function createRandomId() {
+  return toBase32(crypto.randomBytes(5));
+}
+
+function sanitizeBaseName(originalName) {
+  const ext = path.extname(originalName || '');
+  const base = path.basename(originalName || 'datei', ext);
+  const cleaned = base
+    .replace(/\s+/g, '-')
+    .replace(/[^a-zA-Z0-9_-]/g, '')
+    .replace(/-+/g, '-')
+    .replace(/_+/g, '_')
+    .replace(/^[-_]+|[-_]+$/g, '');
+  return cleaned || 'datei';
 }
 
 function sanitizeExtension(originalName) {
@@ -502,9 +511,10 @@ app.post(`${basePath}/api/upload`, requireAuthApi, upload.single('file'), async
   }
 
   const now = Date.now();
-  const token = createToken(now);
   const ext = sanitizeExtension(req.file.originalname);
-  const storedName = `_${token}${ext}`;
+  const baseName = sanitizeBaseName(req.file.originalname);
+  const token = createRandomId();
+  const storedName = `_${baseName}-${token}${ext}`;
   const storedPath = path.join(shareDir, storedName);
 
   const retentionOverride = parseFloat(req.body.retentionHours || '');