diff --git a/README.md b/README.md
index f83297d..fd897f6 100644
--- a/README.md
+++ b/README.md
@@ -45,18 +45,27 @@ Remember to update the domain name in the Caddyfile.
 
 ### Client side
 
-#### Only get the file
+#### Download with wget
 
-`wget -c --tries=5 --waitretry=3 --content-disposition "https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04"`
+- Resumable download (keeps the file):
 
-#### Direct pipe (simple)
+	```bash
+	wget -c --tries=5 --waitretry=3 --content-disposition \
+		"https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04"
+	```
 
-```bash
-wget --tries=5 --waitretry=3 -q -O - "https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04" | docker load
-```
+- Stream straight into Docker (no file left on disk):
 
-#### With resume support (for large images or if you want to keep the file)
+	```bash
+	wget --tries=5 --waitretry=3 -q -O - \
+		"https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04" | docker load
+	```
 
-```bash
-wget -c --tries=5 --waitretry=3 --content-disposition "https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04" && docker load -i ubuntu_25_04.tar
-```
+- Request a specific platform (matching `docker pull --platform`):
+
+	```bash
+	wget --tries=5 --waitretry=3 -q -O - \
+		"https://dockerimagesave.akiel.dev/image?name=ubuntu:25.04&platform=linux/amd64" | docker load
+	```
+
+Note: `--content-disposition` lets wget honor the filename suggested by the server.
diff --git a/image.go b/image.go
index b9539c4..66fd25b 100644
--- a/image.go
+++ b/image.go
@@ -161,22 +161,34 @@ func createOutputTar(ref ImageReference, tempDir, outputDir string) (string, err
 		return "", err
 	}
 
-	safeImageName := sanitizeFilenameComponent(ref.Repository)
-	safeTag := sanitizeFilenameComponent(ref.Tag)
-	outputPath := filepath.Join(outputDir, fmt.Sprintf("%s_%s.tar.gz", safeImageName, safeTag))
+	// Build filename using the image reference components
+	// Replace path separators with underscores to create a flat filename
+	imageName := strings.ReplaceAll(ref.Repository, "/", "_")
+	platformStr := strings.ReplaceAll(ref.Platform.String(), "/", "_")
+	filename := fmt.Sprintf("%s_%s_%s.tar.gz", imageName, ref.Tag, platformStr)
+	outputPath := filepath.Join(outputDir, filename)
+
+	// Clean the path and validate it stays within the output directory
+	cleanOutputDir := filepath.Clean(outputDir)
+	cleanOutputPath := filepath.Clean(outputPath)
+	if !strings.HasPrefix(cleanOutputPath, cleanOutputDir+string(filepath.Separator)) && cleanOutputPath != cleanOutputDir {
+		return "", fmt.Errorf("invalid path: potential path traversal detected")
+	}
 
 	log.Println("Creating tar archive...")
-	if err := createTar(tempDir, outputPath); err != nil {
+	if err := createTar(tempDir, cleanOutputPath); err != nil {
 		return "", fmt.Errorf("failed to create tar: %w", err)
 	}
 
-	log.Printf("Image saved to: %s\n", outputPath)
-	return outputPath, nil
+	log.Printf("Image saved to: %s\n", cleanOutputPath)
+	return cleanOutputPath, nil
 }
 
 // DownloadImage downloads a Docker image and saves it as a tar file
-func DownloadImage(imageRef string, outputDir string) (string, error) {
+// platform should be in format "os/architecture" (e.g., "linux/amd64", "linux/arm64")
+func DownloadImage(imageRef string, outputDir string, platform string) (string, error) {
 	ref := ParseImageReference(imageRef)
+	ref.Platform = ParsePlatform(platform)
 
 	// Validate the image reference to prevent SSRF and other attacks
 	if err := ValidateImageReference(ref); err != nil {
diff --git a/image_test.go b/image_test.go
index 5a5b398..745774f 100644
--- a/image_test.go
+++ b/image_test.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
@@ -219,7 +220,7 @@ func TestDownloadImage_PublicImage(t *testing.T) {
 	}
 	defer cleanupTempDir(t, outputDir)
 
-	imagePath, err := DownloadImage("alpine:latest", outputDir)
+	imagePath, err := DownloadImage("alpine:latest", outputDir, "")
 	if err != nil {
 		t.Fatalf("DownloadImage failed: %v", err)
 	}
@@ -248,7 +249,7 @@ func TestDownloadImage_WithAuthentication(t *testing.T) {
 	}
 	defer cleanupTempDir(t, outputDir)
 
-	imagePath, err := DownloadImage("busybox:latest", outputDir)
+	imagePath, err := DownloadImage("busybox:latest", outputDir, "")
 	if err != nil {
 		t.Fatalf("DownloadImage with auth failed: %v", err)
 	}
@@ -269,8 +270,152 @@ func TestDownloadImage_NonExistentImage(t *testing.T) {
 	}
 	defer cleanupTempDir(t, outputDir)
 
-	_, err = DownloadImage("thisimagedoesnotexist12345:nonexistenttag", outputDir)
+	_, err = DownloadImage("thisimagedoesnotexist12345:nonexistenttag", outputDir, "")
 	if err == nil {
 		t.Error("expected error for non-existent image")
 	}
 }
+
+func TestDownloadImage_WithPlatform(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	tests := []struct {
+		name     string
+		image    string
+		platform string
+	}{
+		{
+			name:     "linux/amd64",
+			image:    "alpine:latest",
+			platform: "linux/amd64",
+		},
+		{
+			name:     "linux/arm64",
+			image:    "alpine:latest",
+			platform: "linux/arm64",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			outputDir, err := os.MkdirTemp("", "test-download-platform-*")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer cleanupTempDir(t, outputDir)
+
+			imagePath, err := DownloadImage(tt.image, outputDir, tt.platform)
+			if err != nil {
+				t.Fatalf("DownloadImage with platform %s failed: %v", tt.platform, err)
+			}
+
+			if _, err := os.Stat(imagePath); os.IsNotExist(err) {
+				t.Errorf("expected image file to exist at %s", imagePath)
+			}
+
+			info, err := os.Stat(imagePath)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if info.Size() == 0 {
+				t.Error("expected non-zero file size")
+			}
+
+			// Verify filename includes platform
+			platformParts := strings.Split(tt.platform, "/")
+			if len(platformParts) != 2 {
+				t.Fatalf("invalid platform format %q, expected <os>/<arch>", tt.platform)
+			}
+			expectedSuffix := "_" + platformParts[0] + "_" + platformParts[1] + ".tar.gz"
+			if !strings.HasSuffix(imagePath, expectedSuffix) {
+				t.Errorf("expected filename to end with '%s', got '%s'", expectedSuffix, imagePath)
+			}
+		})
+	}
+}
+
+func TestDownloadImage_UnsupportedPlatform(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	outputDir, err := os.MkdirTemp("", "test-download-unsupported-platform-*")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanupTempDir(t, outputDir)
+
+	// Try to download with a platform that doesn't exist for this image
+	_, err = DownloadImage("alpine:latest", outputDir, "windows/arm64")
+	if err == nil {
+		t.Error("expected error for unsupported platform")
+	}
+}
+
+func TestCreateOutputTar_IncludesPlatformInFilename(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "test-output-tar-platform-*")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanupTempDir(t, tempDir)
+
+	outputDir, err := os.MkdirTemp("", "test-output-dir-platform-*")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanupTempDir(t, outputDir)
+
+	// Create a minimal file structure for tar
+	if err := os.WriteFile(filepath.Join(tempDir, "test.txt"), []byte("test"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name     string
+		ref      ImageReference
+		expected string
+	}{
+		{
+			name: "linux_amd64 platform",
+			ref: ImageReference{
+				Registry:   "registry-1.docker.io",
+				Repository: "library/alpine",
+				Tag:        "latest",
+				Platform:   Platform{OS: "linux", Architecture: "amd64"},
+			},
+			expected: "library_alpine_latest_linux_amd64.tar.gz",
+		},
+		{
+			name: "linux_arm64 platform",
+			ref: ImageReference{
+				Registry:   "registry-1.docker.io",
+				Repository: "library/alpine",
+				Tag:        "3.18",
+				Platform:   Platform{OS: "linux", Architecture: "arm64"},
+			},
+			expected: "library_alpine_3.18_linux_arm64.tar.gz",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			testOutputDir, err := os.MkdirTemp("", "test-output-*")
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer cleanupTempDir(t, testOutputDir)
+
+			outputPath, err := createOutputTar(tt.ref, tempDir, testOutputDir)
+			if err != nil {
+				t.Fatalf("createOutputTar failed: %v", err)
+			}
+
+			expectedPath := filepath.Join(testOutputDir, tt.expected)
+			if outputPath != expectedPath {
+				t.Errorf("expected path '%s', got '%s'", expectedPath, outputPath)
+			}
+		})
+	}
+}
diff --git a/index.html b/index.html
index f9a04eb..9a7a789 100644
--- a/index.html
+++ b/index.html
@@ -1,10 +1,13 @@
 <!DOCTYPE html>
 <html lang="en">
+
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <meta name="description" content="Download Docker images as files. Useful if you are located in places where DockerHub is blocked."/>
-    <meta name="keywords" content="download docker image, download docker image as file, docker image download, download docker image tar, offline docker images, docker save download, download image from Docker Hub, download container image, dockerhub download file, download docker images without docker pull, docker cuba, docker iran, docker china, download docker images when DockerHub is blocked"/>
+    <meta name="description"
+        content="Download Docker images as files. Useful if you are located in places where DockerHub is blocked." />
+    <meta name="keywords"
+        content="download docker image, download docker image as file, docker image download, download docker image tar, offline docker images, docker save download, download image from Docker Hub, download container image, dockerhub download file, download docker images without docker pull, docker cuba, docker iran, docker china, download docker images when DockerHub is blocked" />
     <title>Download Docker images</title>
     <style>
         * {
@@ -42,18 +45,38 @@
             display: flex;
             flex-direction: column;
             align-items: center;
+            width: 100%;
+            max-width: 600px;
+        }
+
+        .search-row {
+            display: flex;
+            gap: 12px;
+            width: 100%;
+            justify-content: center;
+            align-items: center;
+            margin-bottom: 24px;
+            flex-wrap: wrap;
         }
 
         .search-wrapper {
             display: flex;
             align-items: center;
-            width: 584px;
-            max-width: 90vw;
             height: 44px;
             border: 1px solid #dfe1e5;
             border-radius: 24px;
             padding: 0 14px;
-            margin-bottom: 18px;
+            background-color: #fff;
+        }
+
+        .name-wrapper {
+            flex: 2;
+            min-width: 280px;
+        }
+
+        .platform-wrapper {
+            flex: 1;
+            min-width: 150px;
         }
 
         .search-wrapper:hover,
@@ -68,11 +91,19 @@
             outline: none;
             font-size: 16px;
             background: transparent;
+            width: 100%;
+        }
+
+        select.search-input {
+            cursor: pointer;
+            background-color: transparent;
         }
 
         .buttons {
             display: flex;
             gap: 12px;
+            flex-wrap: wrap;
+            justify-content: center;
         }
 
         .btn {
@@ -192,6 +223,7 @@
             0% {
                 transform: translateX(-100%);
             }
+
             100% {
                 transform: translateX(400%);
             }
@@ -229,296 +261,354 @@
         }
     </style>
 </head>
+
 <body>
-<div class="github-ribbon">
-    <a href="https://github.com/jadolg/DockerImageSave" target="_blank" rel="noopener noreferrer">Fork me on GitHub</a>
-</div>
-<div class="container">
-    <div class="logo">
-        <img src="/logo.png" alt="Docker Image Download — save Docker images as files">
+    <div class="github-ribbon">
+        <a href="https://github.com/jadolg/DockerImageSave" target="_blank" rel="noopener noreferrer">Fork me on
+            GitHub</a>
     </div>
-    <form class="search-box" id="downloadForm">
-        <div class="search-wrapper">
-            <input type="text" class="search-input" id="imageName" name="name" placeholder="ubuntu:25.04"
-                   autocomplete="off" autofocus>
+    <div class="container">
+        <div class="logo">
+            <img src="/logo.png" alt="Docker Image Download — save Docker images as files">
         </div>
-        <div class="buttons">
-            <button type="submit" class="btn" id="downloadBtn">Download</button>
+        <form class="search-box" id="downloadForm">
+            <div class="search-row">
+                <div class="search-wrapper name-wrapper">
+                    <input type="text" class="search-input" id="imageName" name="name" placeholder="ubuntu:25.04"
+                        autocomplete="off" autofocus>
+                </div>
+                <div class="search-wrapper platform-wrapper">
+                    <select class="search-input" id="platform" name="platform">
+                        <option value="linux/amd64" selected>linux/amd64</option>
+                        <option value="linux/arm64">linux/arm64</option>
+                        <option value="linux/arm/v7">linux/arm/v7</option>
+                        <option value="linux/arm/v6">linux/arm/v6</option>
+                        <option value="linux/386">linux/386</option>
+                        <option value="linux/ppc64le">linux/ppc64le</option>
+                        <option value="linux/s390x">linux/s390x</option>
+                        <option value="linux/riscv64">linux/riscv64</option>
+                        <option value="windows/amd64">windows/amd64</option>
+                    </select>
+                </div>
+            </div>
+            <div class="buttons">
+                <button type="submit" class="btn" id="downloadBtn">Download</button>
+                <button type="button" class="btn" id="directBtn">Browser download</button>
+            </div>
+        </form>
+        <div class="status" id="wgetSnippet"></div>
+        <div class="status" id="status"></div>
+        <div class="progress-bar" id="progressBar">
+            <div class="progress-fill" id="progressFill"></div>
         </div>
-    </form>
-    <div class="status" id="status"></div>
-    <div class="progress-bar" id="progressBar">
-        <div class="progress-fill" id="progressFill"></div>
     </div>
-</div>
-
-<script>
-    const form = document.getElementById('downloadForm');
-    const imageNameInput = document.getElementById('imageName');
-    const downloadBtn = document.getElementById('downloadBtn');
-    const status = document.getElementById('status');
-    const progressBar = document.getElementById('progressBar');
-    const progressFill = document.getElementById('progressFill');
-
-    function parseError(errorMessage) {
-        // Try to extract meaningful parts from the error
-        const result = {
-            title: 'Download Failed',
-            message: errorMessage,
-            detail: null
-        };
-
-        // Check for common error patterns
-        if (errorMessage.includes('MANIFEST_UNKNOWN') || errorMessage.includes('manifest unknown')) {
-            result.title = 'Image Not Found';
-            result.message = 'The requested image tag does not exist.';
-            // Try to extract the tag
-            const tagMatch = errorMessage.match(/unknown tag=([^\s}"]+)/);
-            if (tagMatch) {
-                result.detail = `Tag "${tagMatch[1]}" was not found in the registry.`;
-            }
-        } else if (errorMessage.includes('NAME_UNKNOWN') || errorMessage.includes('name unknown')) {
-            result.title = 'Repository Not Found';
-            result.message = 'The requested repository does not exist.';
-        } else if (errorMessage.includes('UNAUTHORIZED') || errorMessage.includes('unauthorized')) {
-            result.title = 'Authentication Required';
-            result.message = 'You need to be authenticated to access this image.';
-        } else if (errorMessage.includes('DENIED') || errorMessage.includes('denied')) {
-            result.title = 'Access Denied';
-            result.message = 'You do not have permission to access this image.';
-        } else if (errorMessage.includes('connection refused') || errorMessage.includes('no such host')) {
-            result.title = 'Connection Error';
-            result.message = 'Could not connect to the registry server.';
-        } else if (errorMessage.includes('timeout') || errorMessage.includes('Timeout')) {
-            result.title = 'Request Timeout';
-            result.message = 'The request took too long to complete.';
-        } else if (errorMessage.includes('missing required') || errorMessage.includes('name') && errorMessage.includes('parameter')) {
-            result.title = 'Missing Image Name';
-            result.message = 'Please provide an image name to download.';
-        } else if (errorMessage.includes('image name cannot be empty')) {
-            result.title = 'Invalid Image Name';
-            result.message = 'Image name cannot be empty.';
-        } else if (errorMessage.includes('image name too long')) {
-            result.title = 'Invalid Image Name';
-            result.message = 'Image name is too long (maximum 256 characters).';
-        } else if (errorMessage.includes('invalid characters') || errorMessage.includes('contains invalid characters')) {
-            result.title = 'Invalid Image Name';
-            result.message = 'Image name contains invalid characters.';
-        } else if (errorMessage.includes('invalid image name')) {
-            result.title = 'Invalid Image Name';
-            result.message = 'The image name format is not valid.';
-            // Extract the specific reason
-            const reasonMatch = errorMessage.match(/invalid image name:\s*(.+)/i);
-            if (reasonMatch) {
-                result.detail = reasonMatch[1];
-            }
-        } else if (errorMessage.includes('authentication failed')) {
-            result.title = 'Authentication Failed';
-            result.message = 'Failed to authenticate with the registry.';
-            // Try to extract status code
-            const statusMatch = errorMessage.match(/(\d{3})\s*-/);
-            if (statusMatch) {
-                result.detail = `Server returned status ${statusMatch[1]}`;
-            }
-        } else if (errorMessage.includes('no WWW-Authenticate header')) {
-            result.title = 'Registry Error';
-            result.message = 'The registry did not provide authentication information.';
-        } else if (errorMessage.includes('unexpected status')) {
-            result.title = 'Registry Error';
-            result.message = 'Received an unexpected response from the registry.';
-            const statusMatch = errorMessage.match(/unexpected status:\s*(\d+)/);
-            if (statusMatch) {
-                result.detail = `Status code: ${statusMatch[1]}`;
-            }
-        } else if (errorMessage.includes('failed to get manifest')) {
-            result.title = 'Manifest Error';
-            result.message = 'Could not retrieve the image manifest from the registry.';
-            // Try to extract status code
-            const statusMatch = errorMessage.match(/(\d{3})\s*-/);
-            if (statusMatch) {
-                result.detail = `Server returned status ${statusMatch[1]}`;
-            }
-        } else if (errorMessage.includes('no suitable manifest found')) {
-            result.title = 'Unsupported Image';
-            result.message = 'No compatible manifest was found for this image.';
-            result.detail = 'The image may not support the requested platform.';
-        } else if (errorMessage.includes('failed to download config')) {
-            result.title = 'Download Error';
-            result.message = 'Failed to download the image configuration.';
-        } else if (errorMessage.includes('failed to download layer')) {
-            result.title = 'Download Error';
-            result.message = 'Failed to download one of the image layers.';
-        } else if (errorMessage.includes('failed to decompress')) {
-            result.title = 'Processing Error';
-            result.message = 'Failed to decompress the image layer.';
-        } else if (errorMessage.includes('failed to create tar')) {
-            result.title = 'Processing Error';
-            result.message = 'Failed to create the final image archive.';
-        } else {
-            // Try to extract a cleaner message from JSON error response
-            const jsonMatch = errorMessage.match(/\d+\s*-\s*(\{.+\})/);
-            if (jsonMatch) {
-                try {
-                    const parsed = JSON.parse(jsonMatch[1]);
-                    if (parsed.errors && parsed.errors[0]) {
-                        result.message = parsed.errors[0].message || errorMessage;
-                        if (parsed.errors[0].detail) {
-                            result.detail = typeof parsed.errors[0].detail === 'string'
-                                ? parsed.errors[0].detail
-                                : JSON.stringify(parsed.errors[0].detail);
+
+    <script>
+        const form = document.getElementById('downloadForm');
+        const imageNameInput = document.getElementById('imageName');
+        const platformInput = document.getElementById('platform');
+        const downloadBtn = document.getElementById('downloadBtn');
+        const directBtn = document.getElementById('directBtn');
+        const status = document.getElementById('status');
+        const wgetSnippet = document.getElementById('wgetSnippet');
+        const progressBar = document.getElementById('progressBar');
+        const progressFill = document.getElementById('progressFill');
+
+        function parseError(errorMessage) {
+            // Try to extract meaningful parts from the error
+            const result = {
+                title: 'Download Failed',
+                message: errorMessage,
+                detail: null
+            };
+
+            // Check for common error patterns
+            if (errorMessage.includes('MANIFEST_UNKNOWN') || errorMessage.includes('manifest unknown')) {
+                result.title = 'Image Not Found';
+                result.message = 'The requested image tag does not exist.';
+                // Try to extract the tag
+                const tagMatch = errorMessage.match(/unknown tag=([^\s}"]+)/);
+                if (tagMatch) {
+                    result.detail = `Tag "${tagMatch[1]}" was not found in the registry.`;
+                }
+            } else if (errorMessage.includes('NAME_UNKNOWN') || errorMessage.includes('name unknown')) {
+                result.title = 'Repository Not Found';
+                result.message = 'The requested repository does not exist.';
+            } else if (errorMessage.includes('UNAUTHORIZED') || errorMessage.includes('unauthorized')) {
+                result.title = 'Authentication Required';
+                result.message = 'You need to be authenticated to access this image.';
+            } else if (errorMessage.includes('DENIED') || errorMessage.includes('denied')) {
+                result.title = 'Access Denied';
+                result.message = 'You do not have permission to access this image.';
+            } else if (errorMessage.includes('connection refused') || errorMessage.includes('no such host')) {
+                result.title = 'Connection Error';
+                result.message = 'Could not connect to the registry server.';
+            } else if (errorMessage.includes('timeout') || errorMessage.includes('Timeout')) {
+                result.title = 'Request Timeout';
+                result.message = 'The request took too long to complete.';
+            } else if (errorMessage.includes('missing required') || errorMessage.includes('name') && errorMessage.includes('parameter')) {
+                result.title = 'Missing Image Name';
+                result.message = 'Please provide an image name to download.';
+            } else if (errorMessage.includes('image name cannot be empty')) {
+                result.title = 'Invalid Image Name';
+                result.message = 'Image name cannot be empty.';
+            } else if (errorMessage.includes('image name too long')) {
+                result.title = 'Invalid Image Name';
+                result.message = 'Image name is too long (maximum 256 characters).';
+            } else if (errorMessage.includes('invalid characters') || errorMessage.includes('contains invalid characters')) {
+                result.title = 'Invalid Image Name';
+                result.message = 'Image name contains invalid characters.';
+            } else if (errorMessage.includes('invalid image name')) {
+                result.title = 'Invalid Image Name';
+                result.message = 'The image name format is not valid.';
+                // Extract the specific reason
+                const reasonMatch = errorMessage.match(/invalid image name:\s*(.+)/i);
+                if (reasonMatch) {
+                    result.detail = reasonMatch[1];
+                }
+            } else if (errorMessage.includes('authentication failed')) {
+                result.title = 'Authentication Failed';
+                result.message = 'Failed to authenticate with the registry.';
+                // Try to extract status code
+                const statusMatch = errorMessage.match(/(\d{3})\s*-/);
+                if (statusMatch) {
+                    result.detail = `Server returned status ${statusMatch[1]}`;
+                }
+            } else if (errorMessage.includes('no WWW-Authenticate header')) {
+                result.title = 'Registry Error';
+                result.message = 'The registry did not provide authentication information.';
+            } else if (errorMessage.includes('unexpected status')) {
+                result.title = 'Registry Error';
+                result.message = 'Received an unexpected response from the registry.';
+                const statusMatch = errorMessage.match(/unexpected status:\s*(\d+)/);
+                if (statusMatch) {
+                    result.detail = `Status code: ${statusMatch[1]}`;
+                }
+            } else if (errorMessage.includes('failed to get manifest')) {
+                result.title = 'Manifest Error';
+                result.message = 'Could not retrieve the image manifest from the registry.';
+                // Try to extract status code
+                const statusMatch = errorMessage.match(/(\d{3})\s*-/);
+                if (statusMatch) {
+                    result.detail = `Server returned status ${statusMatch[1]}`;
+                }
+            } else if (errorMessage.includes('platform') && errorMessage.includes('not found')) {
+                result.title = 'Platform Not Found';
+                result.message = 'The requested platform is not available for this image.';
+                const availableMatch = errorMessage.match(/available platforms: \[(.*?)\]/);
+                if (availableMatch) {
+                    result.detail = `Available platforms: ${availableMatch[1]}`;
+                }
+            } else if (errorMessage.includes('no suitable manifest found')) {
+                result.title = 'Unsupported Image';
+                result.message = 'No compatible manifest was found for this image.';
+                result.detail = 'The image may not support the requested platform.';
+            } else if (errorMessage.includes('failed to download config')) {
+                result.title = 'Download Error';
+                result.message = 'Failed to download the image configuration.';
+            } else if (errorMessage.includes('failed to download layer')) {
+                result.title = 'Download Error';
+                result.message = 'Failed to download one of the image layers.';
+            } else if (errorMessage.includes('failed to decompress')) {
+                result.title = 'Processing Error';
+                result.message = 'Failed to decompress the image layer.';
+            } else if (errorMessage.includes('failed to create tar')) {
+                result.title = 'Processing Error';
+                result.message = 'Failed to create the final image archive.';
+            } else {
+                // Try to extract a cleaner message from JSON error response
+                const jsonMatch = errorMessage.match(/\d+\s*-\s*(\{.+\})/);
+                if (jsonMatch) {
+                    try {
+                        const parsed = JSON.parse(jsonMatch[1]);
+                        if (parsed.errors && parsed.errors[0]) {
+                            result.message = parsed.errors[0].message || errorMessage;
+                            if (parsed.errors[0].detail) {
+                                result.detail = typeof parsed.errors[0].detail === 'string'
+                                    ? parsed.errors[0].detail
+                                    : JSON.stringify(parsed.errors[0].detail);
+                            }
                         }
+                    } catch (e) {
+                        // Keep original message
                     }
-                } catch (e) {
-                    // Keep original message
                 }
             }
-        }
-
-        return result;
-    }
 
-    function setStatusWithSpinner(text) {
-        while (status.firstChild) {
-            status.removeChild(status.firstChild);
+            return result;
         }
-        const spinner = document.createElement('span');
-        spinner.className = 'spinner';
-        status.appendChild(spinner);
-        status.appendChild(document.createTextNode(text));
-    }
 
-    function showError(errorMessage) {
-        const error = parseError(errorMessage);
-
-        while (status.firstChild) {
-            status.removeChild(status.firstChild);
+        function setStatusWithSpinner(text) {
+            while (status.firstChild) {
+                status.removeChild(status.firstChild);
+            }
+            const spinner = document.createElement('span');
+            spinner.className = 'spinner';
+            status.appendChild(spinner);
+            status.appendChild(document.createTextNode(text));
         }
-        status.classList.remove('error');
-
-        const errorBox = document.createElement('div');
-        errorBox.className = 'error-box';
 
-        const titleDiv = document.createElement('div');
-        titleDiv.className = 'error-title';
-        titleDiv.textContent = error.title;
-        errorBox.appendChild(titleDiv);
+        function showError(errorMessage) {
+            const error = parseError(errorMessage);
 
-        const messageDiv = document.createElement('div');
-        messageDiv.className = 'error-message';
-        messageDiv.textContent = error.message;
-        errorBox.appendChild(messageDiv);
+            while (status.firstChild) {
+                status.removeChild(status.firstChild);
+            }
+            status.classList.remove('error');
+
+            const errorBox = document.createElement('div');
+            errorBox.className = 'error-box';
+
+            const titleDiv = document.createElement('div');
+            titleDiv.className = 'error-title';
+            titleDiv.textContent = error.title;
+            errorBox.appendChild(titleDiv);
+
+            const messageDiv = document.createElement('div');
+            messageDiv.className = 'error-message';
+            messageDiv.textContent = error.message;
+            errorBox.appendChild(messageDiv);
+
+            if (error.detail) {
+                const detailDiv = document.createElement('div');
+                detailDiv.className = 'error-detail';
+                detailDiv.textContent = error.detail;
+                errorBox.appendChild(detailDiv);
+            }
 
-        if (error.detail) {
-            const detailDiv = document.createElement('div');
-            detailDiv.className = 'error-detail';
-            detailDiv.textContent = error.detail;
-            errorBox.appendChild(detailDiv);
+            status.appendChild(errorBox);
         }
 
-        status.appendChild(errorBox);
-    }
-
-    form.addEventListener('submit', async (e) => {
-        e.preventDefault();
+        form.addEventListener('submit', async (e) => {
+            e.preventDefault();
 
-        const imageName = imageNameInput.value.trim();
-        if (!imageName) {
-            status.textContent = 'Please enter an image name';
-            status.classList.add('error');
-            return;
-        }
+            const imageName = imageNameInput.value.trim();
+            const platform = platformInput.value;
 
-        // Reset and show progress
-        status.classList.remove('error');
-        setStatusWithSpinner('Preparing download...');
-        progressBar.classList.add('visible');
-        progressFill.style.width = '0%';
-        progressFill.classList.add('indeterminate');
-        downloadBtn.disabled = true;
+            if (!imageName) {
+                status.textContent = 'Please enter an image name';
+                status.classList.add('error');
+                return;
+            }
 
-        try {
-            const response = await fetch(`/image?name=${encodeURIComponent(imageName)}`);
+            // Reset and show progress
+            status.classList.remove('error');
+            setStatusWithSpinner('Preparing download...');
+            progressBar.classList.add('visible');
+            progressFill.style.width = '0%';
+            progressFill.classList.add('indeterminate');
+            downloadBtn.disabled = true;
+            directBtn.disabled = true;
+            wgetSnippet.textContent = ''; // Clear snippet on new download
+
+            try {
+                const response = await fetch(`/image?name=${encodeURIComponent(imageName)}&platform=${encodeURIComponent(platform)}`);
+
+                if (!response.ok) {
+                    const errorData = await response.json();
+                    throw new Error(errorData.error || 'Download failed');
+                }
 
-            if (!response.ok) {
-                const errorData = await response.json();
-                throw new Error(errorData.error || 'Download failed');
-            }
+                // Get content length for progress
+                const contentLength = response.headers.get('Content-Length');
+                const totalBytes = contentLength ? parseInt(contentLength, 10) : 0;
+
+                // Get filename from Content-Disposition header
+                const disposition = response.headers.get('Content-Disposition');
+                let filename = `image_${platform.replace('/', '_')}.tar.gz`;
+
+                if (disposition) {
+                    const match = disposition.match(/filename="(.+)"/);
+                    if (match) {
+                        // Sanitize filename: only allow alphanumeric, dash, underscore, dot
+                        let sanitized = match[1]
+                            .replace(/[^a-zA-Z0-9._-]/g, '_')  // Replace unsafe chars with underscore
+                            .replace(/^\.+/, '')               // Remove leading dots
+                            .substring(0, 255);                // Limit length
+                        // Validate the result matches expected pattern
+                        if (sanitized && /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(sanitized)) {
+                            filename = sanitized;
+                        }
+                    }
+                }
 
-            // Get content length for progress
-            const contentLength = response.headers.get('Content-Length');
-            const totalBytes = contentLength ? parseInt(contentLength, 10) : 0;
-
-            // Get filename from Content-Disposition header
-            const disposition = response.headers.get('Content-Disposition');
-            let filename = 'image.tar.gz';
-            if (disposition) {
-                const match = disposition.match(/filename="(.+)"/);
-                if (match) {
-                    // Sanitize filename: only allow alphanumeric, dash, underscore, dot
-                    let sanitized = match[1]
-                        .replace(/[^a-zA-Z0-9._-]/g, '_')  // Replace unsafe chars with underscore
-                        .replace(/^\.+/, '')               // Remove leading dots
-                        .substring(0, 255);                // Limit length
-                    // Validate the result matches expected pattern
-                    if (sanitized && /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(sanitized)) {
-                        filename = sanitized;
+                // Read the response as a stream to track progress
+                const reader = response.body.getReader();
+                const chunks = [];
+                let receivedBytes = 0;
+
+                progressFill.classList.remove('indeterminate');
+                setStatusWithSpinner('Downloading...');
+
+                while (true) {
+                    const { done, value } = await reader.read();
+                    if (done) break;
+
+                    chunks.push(value);
+                    receivedBytes += value.length;
+
+                    if (totalBytes > 0) {
+                        const rawPercent = Math.round((receivedBytes / totalBytes) * 100);
+                        const percent = Number.isFinite(rawPercent) ? Math.min(100, Math.max(0, rawPercent)) : 0;
+                        progressFill.style.width = String(percent) + '%';
+                        const rawSizeMB = receivedBytes / (1024 * 1024);
+                        const rawTotalMB = totalBytes / (1024 * 1024);
+                        const sizeMB = Number.isFinite(rawSizeMB) ? rawSizeMB.toFixed(1) : '0.0';
+                        const totalMB = Number.isFinite(rawTotalMB) ? rawTotalMB.toFixed(1) : '0.0';
+                        setStatusWithSpinner('Downloading... ' + sizeMB + ' MB / ' + totalMB + ' MB (' + percent + '%)');
+                    } else {
+                        const rawSizeMB = receivedBytes / (1024 * 1024);
+                        const sizeMB = Number.isFinite(rawSizeMB) ? rawSizeMB.toFixed(1) : '0.0';
+                        setStatusWithSpinner('Downloading... ' + sizeMB + ' MB');
                     }
                 }
+
+                // Create blob and trigger download
+                const blob = new Blob(chunks);
+                const url = URL.createObjectURL(blob);
+                const a = document.createElement('a');
+                a.href = url;
+                a.download = filename;
+                document.body.appendChild(a);
+                a.click();
+                document.body.removeChild(a);
+                URL.revokeObjectURL(url);
+
+                const finalSizeMB = (receivedBytes / (1024 * 1024)).toFixed(1);
+                status.textContent = `Download complete! (${finalSizeMB} MB)`;
+                progressFill.style.width = '100%';
+
+            } catch (error) {
+                showError(error.message);
+                progressBar.classList.remove('visible');
+            } finally {
+                downloadBtn.disabled = false;
+                directBtn.disabled = false;
             }
+        });
 
-            // Read the response as a stream to track progress
-            const reader = response.body.getReader();
-            const chunks = [];
-            let receivedBytes = 0;
-
-            progressFill.classList.remove('indeterminate');
-            setStatusWithSpinner('Downloading...');
-
-            while (true) {
-                const {done, value} = await reader.read();
-                if (done) break;
-
-                chunks.push(value);
-                receivedBytes += value.length;
-
-                if (totalBytes > 0) {
-                    const rawPercent = Math.round((receivedBytes / totalBytes) * 100);
-                    const percent = Number.isFinite(rawPercent) ? Math.min(100, Math.max(0, rawPercent)) : 0;
-                    progressFill.style.width = String(percent) + '%';
-                    const rawSizeMB = receivedBytes / (1024 * 1024);
-                    const rawTotalMB = totalBytes / (1024 * 1024);
-                    const sizeMB = Number.isFinite(rawSizeMB) ? rawSizeMB.toFixed(1) : '0.0';
-                    const totalMB = Number.isFinite(rawTotalMB) ? rawTotalMB.toFixed(1) : '0.0';
-                    setStatusWithSpinner('Downloading... ' + sizeMB + ' MB / ' + totalMB + ' MB (' + percent + '%)');
-                } else {
-                    const rawSizeMB = receivedBytes / (1024 * 1024);
-                    const sizeMB = Number.isFinite(rawSizeMB) ? rawSizeMB.toFixed(1) : '0.0';
-                    setStatusWithSpinner('Downloading... ' + sizeMB + ' MB');
-                }
+        directBtn.addEventListener('click', (e) => {
+            e.preventDefault();
+
+            const imageName = imageNameInput.value.trim();
+            const platform = platformInput.value;
+
+            if (!imageName) {
+                status.textContent = 'Please enter an image name';
+                status.classList.add('error');
+                return;
             }
 
-            // Create blob and trigger download
-            const blob = new Blob(chunks);
-            const url = URL.createObjectURL(blob);
-            const a = document.createElement('a');
-            a.href = url;
-            a.download = filename;
-            document.body.appendChild(a);
-            a.click();
-            document.body.removeChild(a);
-            URL.revokeObjectURL(url);
-
-            const finalSizeMB = (receivedBytes / (1024 * 1024)).toFixed(1);
-            status.textContent = `Download complete! (${finalSizeMB} MB)`;
-            progressFill.style.width = '100%';
-
-        } catch (error) {
-            showError(error.message);
-            progressBar.classList.remove('visible');
-        } finally {
-            downloadBtn.disabled = false;
-        }
-    });
-</script>
+            status.classList.remove('error');
+            status.textContent = 'Starting browser download...';
+            const url = `/image?name=${encodeURIComponent(imageName)}&platform=${encodeURIComponent(platform)}`;
+            window.location.href = url;
+
+            // Show wget snippet for convenience
+            const snippet = `wget --tries=5 --waitretry=3 -c --content-disposition "${window.location.origin}${url}"`;
+            wgetSnippet.textContent = snippet;
+        });
+    </script>
 </body>
-</html>
+
+</html>
\ No newline at end of file
diff --git a/main.go b/main.go
index ff7c4b2..85a0cef 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,7 @@ func printBanner() {
 }
 
 func main() {
-	configPath := flag.String("config", "config.yaml", "Path to YAML configuration file")
+	configPath := flag.String("config", "", "Path to YAML configuration file")
 	flag.Parse()
 
 	printBanner()
@@ -40,6 +40,7 @@ func main() {
 	} else {
 		addr = ":8080"
 		cacheDir = ""
+		log.Println("No config file found, using defaults (port: 8080)")
 	}
 
 	server := NewServer(addr, cacheDir)
diff --git a/registry.go b/registry.go
index a151701..b4bba3c 100644
--- a/registry.go
+++ b/registry.go
@@ -15,11 +15,40 @@ import (
 const bearerPrefix = "Bearer "
 const responseBodyStr = "response body"
 
+// Platform represents a target platform for docker images
+type Platform struct {
+	OS           string
+	Architecture string
+}
+
+// DefaultPlatform returns the default platform (linux/amd64)
+func DefaultPlatform() Platform {
+	return Platform{OS: "linux", Architecture: "amd64"}
+}
+
+// String returns the platform in os/architecture format
+func (p Platform) String() string {
+	return p.OS + "/" + p.Architecture
+}
+
+// ParsePlatform parses a platform string like "linux/amd64" into a Platform struct
+func ParsePlatform(platform string) Platform {
+	if platform == "" {
+		return DefaultPlatform()
+	}
+	parts := strings.Split(platform, "/")
+	if len(parts) != 2 {
+		return DefaultPlatform()
+	}
+	return Platform{OS: parts[0], Architecture: parts[1]}
+}
+
 // ImageReference represents a parsed Docker image reference
 type ImageReference struct {
 	Registry   string
 	Repository string
 	Tag        string
+	Platform   Platform
 }
 
 // RegistryClient handles communication with Docker registries
@@ -81,6 +110,7 @@ func ParseImageReference(ref string) ImageReference {
 	result := ImageReference{
 		Registry: "registry-1.docker.io",
 		Tag:      "latest",
+		Platform: DefaultPlatform(),
 	}
 
 	if idx := strings.LastIndex(ref, ":"); idx != -1 && !strings.Contains(ref[idx:], "/") {
@@ -235,17 +265,27 @@ func isManifestList(contentType string) bool {
 	return strings.Contains(contentType, "manifest.list") || strings.Contains(contentType, "image.index")
 }
 
-// selectManifestDigest selects the best manifest from a manifest list, preferring linux/amd64
+// selectManifestDigest selects the best manifest from a manifest list based on the specified platform
 func (c *RegistryClient) selectManifestDigest(ref ImageReference, list *ManifestList) (*ManifestV2, error) {
+	targetOS := ref.Platform.OS
+	targetArch := ref.Platform.Architecture
+
+	// First, try to find exact match for the requested platform
 	for _, m := range list.Manifests {
-		if m.Platform.OS == "linux" && m.Platform.Architecture == "amd64" {
+		if m.Platform.OS == targetOS && m.Platform.Architecture == targetArch {
 			return c.getManifestByDigest(ref, m.Digest)
 		}
 	}
+
+	// If no exact match, return error with available platforms
 	if len(list.Manifests) > 0 {
-		return c.getManifestByDigest(ref, list.Manifests[0].Digest)
+		available := make([]string, 0, len(list.Manifests))
+		for _, m := range list.Manifests {
+			available = append(available, m.Platform.OS+"/"+m.Platform.Architecture)
+		}
+		return nil, fmt.Errorf("platform %s/%s not found, available platforms: %v", targetOS, targetArch, available)
 	}
-	return nil, fmt.Errorf("no suitable manifest found")
+	return nil, fmt.Errorf("no suitable manifest found for platform %s/%s", targetOS, targetArch)
 }
 
 // parseManifestResponse parses the manifest response body based on content type
diff --git a/registry_test.go b/registry_test.go
index d5bab1d..0d1f4cf 100644
--- a/registry_test.go
+++ b/registry_test.go
@@ -189,3 +189,110 @@ func TestRegistryClient_GetManifest_Mock(t *testing.T) {
 		t.Errorf("expected status 200, got %d", resp.StatusCode)
 	}
 }
+
+func TestParsePlatform(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected Platform
+	}{
+		{
+			name:     "linux/amd64",
+			input:    "linux/amd64",
+			expected: Platform{OS: "linux", Architecture: "amd64"},
+		},
+		{
+			name:     "linux/arm64",
+			input:    "linux/arm64",
+			expected: Platform{OS: "linux", Architecture: "arm64"},
+		},
+		{
+			name:     "windows/amd64",
+			input:    "windows/amd64",
+			expected: Platform{OS: "windows", Architecture: "amd64"},
+		},
+		{
+			name:     "empty string returns default",
+			input:    "",
+			expected: Platform{OS: "linux", Architecture: "amd64"},
+		},
+		{
+			name:     "invalid format returns default",
+			input:    "invalid",
+			expected: Platform{OS: "linux", Architecture: "amd64"},
+		},
+		{
+			name:     "too many parts returns default",
+			input:    "linux/amd64/extra",
+			expected: Platform{OS: "linux", Architecture: "amd64"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ParsePlatform(tt.input)
+			if result.OS != tt.expected.OS {
+				t.Errorf("expected OS '%s', got '%s'", tt.expected.OS, result.OS)
+			}
+			if result.Architecture != tt.expected.Architecture {
+				t.Errorf("expected Architecture '%s', got '%s'", tt.expected.Architecture, result.Architecture)
+			}
+		})
+	}
+}
+
+func TestPlatformString(t *testing.T) {
+	tests := []struct {
+		name     string
+		platform Platform
+		expected string
+	}{
+		{
+			name:     "linux/amd64",
+			platform: Platform{OS: "linux", Architecture: "amd64"},
+			expected: "linux/amd64",
+		},
+		{
+			name:     "linux/arm64",
+			platform: Platform{OS: "linux", Architecture: "arm64"},
+			expected: "linux/arm64",
+		},
+		{
+			name:     "windows/amd64",
+			platform: Platform{OS: "windows", Architecture: "amd64"},
+			expected: "windows/amd64",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.platform.String()
+			if result != tt.expected {
+				t.Errorf("expected '%s', got '%s'", tt.expected, result)
+			}
+		})
+	}
+}
+
+func TestDefaultPlatform(t *testing.T) {
+	platform := DefaultPlatform()
+
+	if platform.OS != "linux" {
+		t.Errorf("expected OS 'linux', got '%s'", platform.OS)
+	}
+	if platform.Architecture != "amd64" {
+		t.Errorf("expected Architecture 'amd64', got '%s'", platform.Architecture)
+	}
+}
+
+func TestParseImageReference_IncludesPlatform(t *testing.T) {
+	ref := ParseImageReference("alpine:latest")
+
+	// Should have default platform
+	if ref.Platform.OS != "linux" {
+		t.Errorf("expected Platform.OS 'linux', got '%s'", ref.Platform.OS)
+	}
+	if ref.Platform.Architecture != "amd64" {
+		t.Errorf("expected Platform.Architecture 'amd64', got '%s'", ref.Platform.Architecture)
+	}
+}
diff --git a/server.go b/server.go
index 80b0e67..6b84560 100644
--- a/server.go
+++ b/server.go
@@ -115,18 +115,45 @@ func (s *Server) imageHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	cacheFilename := s.getCacheFilename(imageName)
+	// Parse platform parameter (e.g., "linux/amd64", "linux/arm64")
+	// URL-encoded slashes (%2F) are automatically decoded by Go's URL parser
+	platform := r.URL.Query().Get("platform")
+	if platform != "" {
+		// Sanitize and validate platform - returns a safe reconstructed value
+		sanitized, err := sanitizePlatform(platform)
+		if err != nil {
+			writeJSONError(w, fmt.Sprintf("invalid platform: %v", err), http.StatusBadRequest)
+			return
+		}
+		platform = sanitized
+	} else {
+		// Normalize empty platform to default to ensure consistent cache keys
+		// This prevents duplicate downloads when one request omits platform
+		// and another explicitly specifies "linux/amd64"
+		platform = DefaultPlatform().String()
+	}
+
+	// Create a unique cache key combining image name and platform
+	cacheKey := imageName + ":" + platform
+	cacheFilename := s.getCacheFilename(imageName, platform)
 	cachePath := filepath.Join(s.cacheDir, cacheFilename)
 
+	// Validate that the cache path stays within the cache directory (prevent path traversal)
+	if err := validatePathContainment(s.cacheDir, cachePath); err != nil {
+		log.Printf("Security: path traversal attempt detected for image %s: %v\n", imageName, err)
+		writeJSONError(w, "invalid request", http.StatusBadRequest)
+		return
+	}
+
 	if _, err := os.Stat(cachePath); err == nil {
-		log.Printf("Serving cached image: %s\n", imageName)
-		s.serveImageFile(w, r, cachePath, imageName)
+		log.Printf("Serving cached image: %s (platform: %s)\n", imageName, platform)
+		s.serveImageFile(w, r, cachePath, imageName, platform)
 		return
 	}
 
-	log.Printf("Downloading image: %s\n", imageName)
-	result, err, _ := s.downloadGroup.Do(imageName, func() (interface{}, error) {
-		return DownloadImage(imageName, s.cacheDir)
+	log.Printf("Downloading image: %s (platform: %s)\n", imageName, platform)
+	result, err, _ := s.downloadGroup.Do(cacheKey, func() (interface{}, error) {
+		return DownloadImage(imageName, s.cacheDir, platform)
 	})
 	if err != nil {
 		log.Printf("Failed to download image %s: %v\n", imageName, err)
@@ -136,19 +163,65 @@ func (s *Server) imageHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	imagePath := result.(string)
 
-	s.serveImageFile(w, r, imagePath, imageName)
+	s.serveImageFile(w, r, imagePath, imageName, platform)
+}
+
+// validatePlatform validates the platform string format and returns a sanitized version
+// This prevents path traversal attacks by reconstructing the platform from validated components
+func sanitizePlatform(platform string) (string, error) {
+	parts := strings.Split(platform, "/")
+	if len(parts) != 2 {
+		return "", fmt.Errorf("platform must be in format 'os/architecture' (e.g., 'linux/amd64')")
+	}
+	osName := parts[0]
+	arch := parts[1]
+
+	// Validate OS against whitelist
+	validOS := map[string]bool{"linux": true, "windows": true, "darwin": true}
+	if !validOS[osName] {
+		return "", fmt.Errorf("unsupported OS '%s', valid options: linux, windows, darwin", osName)
+	}
+
+	// Validate architecture against whitelist
+	validArch := map[string]bool{"amd64": true, "arm64": true, "arm": true, "386": true, "ppc64le": true, "s390x": true, "riscv64": true}
+	if !validArch[arch] {
+		return "", fmt.Errorf("unsupported architecture '%s', valid options: amd64, arm64, arm, 386, ppc64le, s390x, riscv64", arch)
+	}
+
+	// Return reconstructed platform from validated components (not user input)
+	// This ensures path safety by only using known-good values
+	return osName + "/" + arch, nil
 }
 
 // getCacheFilename generates a safe filename for caching
 // This must match the filename format used by createOutputTar in image.go
-func (s *Server) getCacheFilename(imageName string) string {
+func (s *Server) getCacheFilename(imageName string, platform string) string {
 	ref := ParseImageReference(imageName)
-	safeImageName := strings.ReplaceAll(ref.Repository, "/", "_")
-	return fmt.Sprintf("%s_%s.tar.gz", safeImageName, ref.Tag)
+	ref.Platform = ParsePlatform(platform)
+
+	// Replace path separators in repository to create a flat filename
+	// Note: imageName is already sanitized by sanitizeImageName before reaching here
+	repo := strings.ReplaceAll(ref.Repository, "/", "_")
+	platformStr := strings.ReplaceAll(ref.Platform.String(), "/", "_")
+
+	return fmt.Sprintf("%s_%s_%s.tar.gz", repo, ref.Tag, platformStr)
+}
+
+// validatePathContainment ensures the final path stays within the base directory
+func validatePathContainment(basePath, fullPath string) error {
+	// Clean both paths for comparison
+	cleanBase := filepath.Clean(basePath)
+	cleanFull := filepath.Clean(fullPath)
+
+	// Ensure the full path starts with the base path
+	if !strings.HasPrefix(cleanFull, cleanBase+string(filepath.Separator)) && cleanFull != cleanBase {
+		return fmt.Errorf("path traversal detected: path escapes base directory")
+	}
+	return nil
 }
 
 // serveImageFile streams an image tar file to the response with Range request support
-func (s *Server) serveImageFile(w http.ResponseWriter, r *http.Request, imagePath, imageName string) {
+func (s *Server) serveImageFile(w http.ResponseWriter, r *http.Request, imagePath, imageName string, platform string) {
 	file, err := os.Open(imagePath)
 	if err != nil {
 		log.Printf("Failed to open image file: %v\n", err)
@@ -171,7 +244,7 @@ func (s *Server) serveImageFile(w http.ResponseWriter, r *http.Request, imagePat
 		return
 	}
 
-	filename := s.getCacheFilename(imageName)
+	filename := s.getCacheFilename(imageName, platform)
 
 	w.Header().Set(contentTypeHeader, "application/gzip")
 	w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
diff --git a/server_test.go b/server_test.go
index ca4e38d..9a6a025 100644
--- a/server_test.go
+++ b/server_test.go
@@ -166,7 +166,7 @@ func TestServeImageFile_RangeRequest(t *testing.T) {
 		req.Header.Set("Range", "bytes=0-9")
 		w := httptest.NewRecorder()
 
-		server.serveImageFile(w, req, testFile, "test:image")
+		server.serveImageFile(w, req, testFile, "test:image", "")
 
 		resp := w.Result()
 		if resp.StatusCode != http.StatusPartialContent {
@@ -190,7 +190,7 @@ func TestServeImageFile_RangeRequest(t *testing.T) {
 		req.Header.Set("Range", "bytes=10-19")
 		w := httptest.NewRecorder()
 
-		server.serveImageFile(w, req, testFile, "test:image")
+		server.serveImageFile(w, req, testFile, "test:image", "")
 
 		resp := w.Result()
 		if resp.StatusCode != http.StatusPartialContent {
@@ -215,13 +215,13 @@ func TestServeImageFile_RangeRequest(t *testing.T) {
 		req1 := httptest.NewRequest(http.MethodGet, "/image", nil)
 		req1.Header.Set("Range", "bytes=0-9")
 		w1 := httptest.NewRecorder()
-		server.serveImageFile(w1, req1, testFile, "test:image")
+		server.serveImageFile(w1, req1, testFile, "test:image", "")
 		combined.Write(w1.Body.Bytes())
 
 		req2 := httptest.NewRequest(http.MethodGet, "/image", nil)
 		req2.Header.Set("Range", "bytes=10-")
 		w2 := httptest.NewRecorder()
-		server.serveImageFile(w2, req2, testFile, "test:image")
+		server.serveImageFile(w2, req2, testFile, "test:image", "")
 		combined.Write(w2.Body.Bytes())
 
 		if !bytes.Equal(combined.Bytes(), testContent) {
@@ -234,7 +234,7 @@ func TestServeImageFile_RangeRequest(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/image", nil)
 		w := httptest.NewRecorder()
 
-		server.serveImageFile(w, req, testFile, "test:image")
+		server.serveImageFile(w, req, testFile, "test:image", "")
 
 		resp := w.Result()
 		if resp.StatusCode != http.StatusOK {
@@ -272,7 +272,7 @@ func TestServeImageFile_InvalidRange(t *testing.T) {
 	req.Header.Set("Range", "bytes=100-200")
 	w := httptest.NewRecorder()
 
-	server.serveImageFile(w, req, testFile, "test:image")
+	server.serveImageFile(w, req, testFile, "test:image", "")
 
 	resp := w.Result()
 	if resp.StatusCode != http.StatusRequestedRangeNotSatisfiable {
@@ -280,104 +280,219 @@ func TestServeImageFile_InvalidRange(t *testing.T) {
 	}
 }
 
-func TestHumanizeBytes(t *testing.T) {
+func TestImageHandler_WithPlatform(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	server := NewServer(":8080", "")
+
+	// Test with linux/amd64 platform
+	req := httptest.NewRequest(http.MethodGet, "/image?name=alpine:latest&platform=linux/amd64", nil)
+	w := httptest.NewRecorder()
+
+	server.imageHandler(w, req)
+
+	resp := w.Result()
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status 200, got %d", resp.StatusCode)
+	}
+
+	contentType := resp.Header.Get("Content-Type")
+	if contentType != "application/gzip" {
+		t.Errorf("expected Content-Type 'application/gzip', got '%s'", contentType)
+	}
+}
+
+func TestImageHandler_WithURLEncodedPlatform(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	server := NewServer(":8080", "")
+
+	// Test with URL-encoded platform (linux%2Famd64)
+	req := httptest.NewRequest(http.MethodGet, "/image?name=alpine:latest&platform=linux%2Famd64", nil)
+	w := httptest.NewRecorder()
+
+	server.imageHandler(w, req)
+
+	resp := w.Result()
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status 200, got %d", resp.StatusCode)
+	}
+}
+
+func TestImageHandler_InvalidPlatform(t *testing.T) {
+	server := NewServer(":8080", "")
+
 	tests := []struct {
 		name     string
-		bytes    int64
-		expected string
+		platform string
+	}{
+		{"invalid format", "invalid"},
+		{"unsupported OS", "bsd/amd64"},
+		{"unsupported arch", "linux/mips"},
+		{"empty parts", "/amd64"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(http.MethodGet, "/image?name=alpine:latest&platform="+tt.platform, nil)
+			w := httptest.NewRecorder()
+
+			server.imageHandler(w, req)
+
+			resp := w.Result()
+			if resp.StatusCode != http.StatusBadRequest {
+				t.Errorf("expected status 400, got %d", resp.StatusCode)
+			}
+
+			var body map[string]string
+			if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
+				t.Fatalf("failed to decode response: %v", err)
+			}
+
+			if body["error"] == "" {
+				t.Error("expected error message in response")
+			}
+		})
+	}
+}
+
+func TestSanitizePlatform(t *testing.T) {
+	tests := []struct {
+		name      string
+		platform  string
+		expected  string
+		expectErr bool
+	}{
+		{"linux/amd64", "linux/amd64", "linux/amd64", false},
+		{"linux/arm64", "linux/arm64", "linux/arm64", false},
+		{"linux/arm", "linux/arm", "linux/arm", false},
+		{"linux/386", "linux/386", "linux/386", false},
+		{"linux/ppc64le", "linux/ppc64le", "linux/ppc64le", false},
+		{"linux/s390x", "linux/s390x", "linux/s390x", false},
+		{"linux/riscv64", "linux/riscv64", "linux/riscv64", false},
+		{"windows/amd64", "windows/amd64", "windows/amd64", false},
+		{"darwin/amd64", "darwin/amd64", "darwin/amd64", false},
+		{"darwin/arm64", "darwin/arm64", "darwin/arm64", false},
+		{"invalid format", "invalid", "", true},
+		{"unsupported OS", "bsd/amd64", "", true},
+		{"unsupported arch", "linux/mips", "", true},
+		{"too many parts", "linux/amd64/v2", "", true},
+		{"empty OS", "/amd64", "", true},
+		{"empty arch", "linux/", "", true},
+		{"path traversal attempt", "../../../etc/passwd", "", true},
+		{"path traversal in os", "../linux/amd64", "", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := sanitizePlatform(tt.platform)
+			if tt.expectErr && err == nil {
+				t.Errorf("expected error for platform '%s', got nil", tt.platform)
+			}
+			if !tt.expectErr && err != nil {
+				t.Errorf("unexpected error for platform '%s': %v", tt.platform, err)
+			}
+			if !tt.expectErr && result != tt.expected {
+				t.Errorf("expected sanitized platform '%s', got '%s'", tt.expected, result)
+			}
+		})
+	}
+}
+
+func TestGetCacheFilename_WithPlatform(t *testing.T) {
+	server := NewServerWithCache(":8080", "")
+
+	tests := []struct {
+		name      string
+		imageName string
+		platform  string
+		expected  string
 	}{
 		{
-			name:     "zero bytes",
-			bytes:    0,
-			expected: "0 B",
-		},
-		{
-			name:     "bytes less than 1KB",
-			bytes:    512,
-			expected: "512 B",
-		},
-		{
-			name:     "exactly 1KB",
-			bytes:    1024,
-			expected: "1.00 KB",
-		},
-		{
-			name:     "kilobytes",
-			bytes:    5120,
-			expected: "5.00 KB",
-		},
-		{
-			name:     "megabytes",
-			bytes:    5242880, // 5 MB
-			expected: "5.00 MB",
-		},
-		{
-			name:     "megabytes with decimals",
-			bytes:    7654321,
-			expected: "7.30 MB",
-		},
-		{
-			name:     "gigabytes",
-			bytes:    5368709120, // 5 GB
-			expected: "5.00 GB",
-		},
-		{
-			name:     "gigabytes with decimals",
-			bytes:    1610612736, // 1.5 GB
-			expected: "1.50 GB",
-		},
-		{
-			name:     "terabytes",
-			bytes:    5497558138880, // 5 TB
-			expected: "5.00 TB",
+			name:      "default platform",
+			imageName: "alpine:latest",
+			platform:  "",
+			expected:  "library_alpine_latest_linux_amd64.tar.gz",
 		},
 		{
-			name:     "petabytes",
-			bytes:    5629499534213120, // 5 PB
-			expected: "5.00 PB",
+			name:      "linux/amd64",
+			imageName: "alpine:latest",
+			platform:  "linux/amd64",
+			expected:  "library_alpine_latest_linux_amd64.tar.gz",
 		},
 		{
-			name:     "1023 bytes",
-			bytes:    1023,
-			expected: "1023 B",
+			name:      "linux/arm64",
+			imageName: "alpine:latest",
+			platform:  "linux/arm64",
+			expected:  "library_alpine_latest_linux_arm64.tar.gz",
 		},
 		{
-			name:     "1 byte",
-			bytes:    1,
-			expected: "1 B",
+			name:      "custom registry with platform",
+			imageName: "gcr.io/myproject/myimage:v1.0",
+			platform:  "linux/arm64",
+			expected:  "myproject_myimage_v1.0_linux_arm64.tar.gz",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := humanizeBytes(tt.bytes)
+			result := server.getCacheFilename(tt.imageName, tt.platform)
 			if result != tt.expected {
-				t.Errorf("humanizeBytes(%d) = %s, expected %s", tt.bytes, result, tt.expected)
+				t.Errorf("expected '%s', got '%s'", tt.expected, result)
 			}
 		})
 	}
 }
 
-func TestHumanizeBytes_FormattingConsistency(t *testing.T) {
-	// Test that all results use 2 decimal places (except for bytes)
-	testCases := []int64{
-		1024,          // 1.00 KB
-		1048576,       // 1.00 MB
-		1073741824,    // 1.00 GB
-		1099511627776, // 1.00 TB
+func TestImageHandler_PlatformNormalization(t *testing.T) {
+	// This test verifies that requests without platform and with explicit "linux/amd64"
+	// result in the same cache behavior (same filename)
+	server := NewServerWithCache(":8080", "")
+
+	// Both should produce the same cache filename
+	filenameEmpty := server.getCacheFilename("alpine:latest", "")
+	filenameExplicit := server.getCacheFilename("alpine:latest", "linux/amd64")
+
+	if filenameEmpty != filenameExplicit {
+		t.Errorf("cache filenames should match for empty and explicit linux/amd64 platform\nempty: %s\nexplicit: %s",
+			filenameEmpty, filenameExplicit)
 	}
 
-	for _, bytes := range testCases {
-		result := humanizeBytes(bytes)
-		if !strings.Contains(result, ".") {
-			t.Errorf("humanizeBytes(%d) = %s, expected decimal point for formatted size", bytes, result)
-		}
+	// Verify the normalized filename format
+	expected := "library_alpine_latest_linux_amd64.tar.gz"
+	if filenameEmpty != expected {
+		t.Errorf("expected filename '%s', got '%s'", expected, filenameEmpty)
 	}
+}
 
-	// Test that byte values don't have decimal points
-	result := humanizeBytes(512)
-	if strings.Contains(result, ".") {
-		t.Errorf("humanizeBytes(512) = %s, expected no decimal point for byte values", result)
+func TestValidatePathContainment(t *testing.T) {
+	tests := []struct {
+		name      string
+		basePath  string
+		fullPath  string
+		expectErr bool
+	}{
+		{"valid path", "/cache", "/cache/file.tar.gz", false},
+		{"valid nested path", "/cache", "/cache/subdir/file.tar.gz", false},
+		{"path traversal", "/cache", "/cache/../etc/passwd", true},
+		{"absolute escape", "/cache", "/etc/passwd", true},
+		{"same as base", "/cache", "/cache", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validatePathContainment(tt.basePath, tt.fullPath)
+			if tt.expectErr && err == nil {
+				t.Errorf("expected error for basePath=%q, fullPath=%q", tt.basePath, tt.fullPath)
+			}
+			if !tt.expectErr && err != nil {
+				t.Errorf("unexpected error for basePath=%q, fullPath=%q: %v", tt.basePath, tt.fullPath, err)
+			}
+		})
 	}
 }