diff --git a/server.js b/server.js
index 62601c4..88fbe8a 100644
--- a/server.js
+++ b/server.js
@@ -24,6 +24,11 @@ var config = require("./config.js"),
 // static http server
 
 var httpServer = http.createServer(function(request, response) {
+    if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
  
   var uri = url.parse(request.url).pathname
     , filename = path.join(process.cwd(), 'public', uri);