diff --git a/src/_h5ai/server/php/inc/App.php b/src/_h5ai/server/php/inc/App.php
index eef93379..c8c1808c 100644
--- a/src/_h5ai/server/php/inc/App.php
+++ b/src/_h5ai/server/php/inc/App.php
@@ -137,7 +137,7 @@ class App {
 
 		$abs_path = $this->get_abs_path($abs_href);
 
-		if (!is_dir($abs_path)) {
+		if (!is_dir($abs_path) || strpos($abs_path, '../') || strpos($abs_path, '/..') || $abs_path == '..') {
 			return 500;
 		}
 
@@ -170,6 +170,11 @@ class App {
 
 	public function get_items($abs_href, $what) {
 
+		$code = $this->get_http_code($abs_href);
+		if ($code != App::$MAGIC_SEQUENCE) {
+			return array();
+		}
+
 		$cache = array();
 		$folder = Item::get($this, $this->get_abs_path($abs_href), $cache);