diff --git a/server/routes/assets.js b/server/routes/assets.js
index b85c5ef..736b94f 100644
--- a/server/routes/assets.js
+++ b/server/routes/assets.js
@@ -2,8 +2,24 @@ import path from "path";
 import fs from "fs";
 const BASEPATH = process.env.BASEPATH;
 
+// From: https://github.com/pillarjs/send/blob/master/index.js#L63
+var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
+
 const assets = (req, res) => {
   let filePath = req.originalUrl;
+
+  try {
+    filePath = decodeURIComponent(filePath);
+  } catch (err) {
+    return res.status(403).send(new Error("invalid url"));
+  }
+  if (~filePath.indexOf("\0")) {
+    return res.status(403).send(new Error("null byte attack dedected!!"));
+  }
+  if (UP_PATH_REGEXP.test(filePath)) {
+    return res.status(403).send(new Error("LFI attack dedected!!!"));
+  }
+
   if (BASEPATH) {
     filePath = req.originalUrl.replace(`/${BASEPATH}`, ``);
   }