diff --git a/src/main/java/io/zbus/rpc/StaticResource.java b/src/main/java/io/zbus/rpc/StaticResource.java
index c553095b6bf7b907e504f6130881178e8946d902..33d16a4d1ffa5c9a8a01d72a09d7a9c31853b923 100644
--- a/src/main/java/io/zbus/rpc/StaticResource.java
+++ b/src/main/java/io/zbus/rpc/StaticResource.java
@@ -64,7 +64,23 @@ public class StaticResource {
 			File fullPath = new File(absoluteBasePath, urlFile);
 			file = fullPath.getAbsolutePath();
 		}
-		 
+
+		// security restriction: access to files outside absoluteBasePath is forbidden
+		boolean validFilePath = true;
+		try {
+			File allowedDir = new File(this.absoluteBasePath.getCanonicalPath());
+			String canonicalFilePath = new File(file).getCanonicalPath();
+			validFilePath = canonicalFilePath.startsWith(allowedDir.getCanonicalPath());
+		} catch (IOException e) {
+			validFilePath = false;
+		}
+		if (!validFilePath) {
+			res.setStatus(404);
+			res.setHeader(Http.CONTENT_TYPE, "text/plain; charset=utf8");
+			res.setBody(urlFile + " Not Found");
+			return res;
+		}
+
 		String contentType = HttpKit.contentType(urlFile);
 		if(contentType == null) {
 			contentType = "application/octet-stream";