diff --git a/index.js b/index.js
index 09f2857..2b550d8 100644
--- a/index.js
+++ b/index.js
@@ -16,9 +16,10 @@ var requestListener = function (request, response) {
     var path = process.cwd();
     var delay = (0.5 + (Math.random() / 2)) * 100;
 
+    request.url = request.url.replace(/(\.\.)/g, '');
     if (request.url.indexOf('/api') === 0) {
 
-        path += querystring.unescape(request.url).slice(4);
+        path += querystring.unescape(request.url).slice(4).replace(/(\.\.)/g, '');
 
         var pathStat = fs.lstatSync(path);
         console.log('reqbody', request.body);
@@ -103,4 +104,4 @@ var requestListener = function (request, response) {
 
 var server = http.createServer(requestListener);
 server.listen(8080);
-console.log('Sever listen on localhost:8080');
\ No newline at end of file
+console.log('Sever listen on localhost:8080');