diff --git a/src/http.c b/src/http.c
index 935837a..efd6199 100644
--- a/src/http.c
+++ b/src/http.c
@@ -323,6 +323,23 @@ handle_static_asset(struct http_transaction *ta, char *basedir)
     // which?  Fix it to avoid indirect object reference (IDOR) attacks.
     snprintf(fname, sizeof fname, "%s%s", basedir, req_path);
 
+    char *endptr;
+    char *p = calloc(strlen(fname) + 1, sizeof(char));
+    memcpy(p, fname, strlen(fname) + 1);
+    char *dir = strtok_r(p, "/", &endptr);
+    dir = strtok_r(NULL, "/", &endptr); // initial ".." is okay
+    while (dir != NULL) {
+        if (!strcmp(dir, "..")) {
+            return send_not_found(ta);
+        }
+        dir = strtok_r(NULL, "/", &endptr);
+    }
+
+    if (!strcmp(req_path, "/")) {
+        memset(fname, 0, PATH_MAX);
+        snprintf(fname, sizeof fname, "%s%s", server_root, "/index.html");
+    }
+
     if (access(fname, R_OK)) {
         if (errno == EACCES)
             return send_error(ta, HTTP_PERMISSION_DENIED, "Permission denied.");