diff --git a/CHANGELOG.md b/CHANGELOG.md
index 351dc463..5db9ec8a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,12 +2,16 @@
 
 All notable changes to secrets-store-csi-driver-provider-gcp will be documented in this file. This file is maintained by humans and is therefore subject to error.
 
-## v0.1.1 (unreleased)
+## UNRELEASED
 
 ### Fixed
 
 * Cleanup unix domain socket
 
+### Changed
+
+* Validate filenames against regex `[-._a-zA-Z0-9]+` and max length of 253 [#74](https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/pull/74)
+
 ## v0.1.0
 
 Images:
diff --git a/config/config.go b/config/config.go
index 2794524c..0737219c 100644
--- a/config/config.go
+++ b/config/config.go
@@ -23,11 +23,13 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"strings"
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation"
 )
 
 // Secret holds the parameters of the SecretProviderClass CRD. Links the GCP
@@ -117,5 +119,12 @@ func Parse(in *MountParams) (*MountConfig, error) {
 		return nil, fmt.Errorf("failed to unmarshal secrets attribute: %v", err)
 	}
 
+	for i := range out.Secrets {
+		name := out.Secrets[i].FileName
+		if errs := validation.IsConfigMapKey(name); len(errs) != 0 {
+			return nil, fmt.Errorf("%q is not a valid fileName for Secret: %s", name, strings.Join(errs, ";"))
+		}
+	}
+
 	return out, nil
 }
diff --git a/config/config_test.go b/config/config_test.go
index a001e5b2..f7d7db7c 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -150,6 +150,57 @@ func TestParseErrors(t *testing.T) {
 				Permissions: 777,
 			},
 		},
+		{
+			name: "fileName with path",
+			in: &MountParams{
+				Attributes: `
+				{
+					"secrets": "- resourceName: \"projects/project/secrets/test/versions/latest\"\n  fileName: \"../good1.txt\"\n",
+					"csi.storage.k8s.io/pod.namespace": "default",
+					"csi.storage.k8s.io/pod.name": "mypod",
+					"csi.storage.k8s.io/pod.uid": "123",
+					"csi.storage.k8s.io/serviceAccount.name": "mysa"
+				}
+				`,
+				KubeSecrets: "{}",
+				TargetPath:  "/tmp/foo",
+				Permissions: 777,
+			},
+		},
+		{
+			name: "fileName with filename separator",
+			in: &MountParams{
+				Attributes: `
+				{
+					"secrets": "- resourceName: \"projects/project/secrets/test/versions/latest\"\n  fileName: \"a:good1.txt\"\n",
+					"csi.storage.k8s.io/pod.namespace": "default",
+					"csi.storage.k8s.io/pod.name": "mypod",
+					"csi.storage.k8s.io/pod.uid": "123",
+					"csi.storage.k8s.io/serviceAccount.name": "mysa"
+				}
+				`,
+				KubeSecrets: "{}",
+				TargetPath:  "/tmp/foo",
+				Permissions: 777,
+			},
+		},
+		{
+			name: "fileName with path separator",
+			in: &MountParams{
+				Attributes: `
+				{
+					"secrets": "- resourceName: \"projects/project/secrets/test/versions/latest\"\n  fileName: \"a/good1.txt\"\n",
+					"csi.storage.k8s.io/pod.namespace": "default",
+					"csi.storage.k8s.io/pod.name": "mypod",
+					"csi.storage.k8s.io/pod.uid": "123",
+					"csi.storage.k8s.io/serviceAccount.name": "mysa"
+				}
+				`,
+				KubeSecrets: "{}",
+				TargetPath:  "/tmp/foo",
+				Permissions: 777,
+			},
+		},
 	}
 
 	for _, tc := range tests {