diff --git a/app/controllers/avatars_controller.rb b/app/controllers/avatars_controller.rb
new file mode 100644
index 0000000..5afde73
--- /dev/null
+++ b/app/controllers/avatars_controller.rb
@@ -0,0 +1,20 @@
+class AvatarsController < ApplicationController
+  def show
+    if user = User.find_by(cn: params[:username])
+      http_status :not_found and return unless user.avatar.attached?
+
+      sha256_hash = params[:hash]
+      format = params[:format].to_sym || :png
+      size = params[:size]&.to_sym || :large
+
+      unless user.avatar_filename == "#{sha256_hash}.#{format}"
+        http_status :not_found and return
+      end
+
+      send_file user.avatar.service.path_for(user.avatar.key),
+        disposition: "inline", type: "image/#{format}"
+    else
+      http_status :not_found and return
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 8344410..759abcc 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -15,6 +15,9 @@ Rails.application.routes.draw do
   match 'signup/:step', to: 'signup#steps', as: :signup_steps, via: [:get, :post]
   post 'signup_validate', to: 'signup#validate'
 
+
+  get "users/:username/avatars/:hash", to: "avatars#show", as: :user_avatar
+
   namespace :contributions do
     root to: 'donations#index'
     resources :donations, only: ['index', 'create'] do