diff --git a/example/jokeChatServer.js b/example/jokeChatServer.js
index 6e284e4..b3e0534 100644
--- a/example/jokeChatServer.js
+++ b/example/jokeChatServer.js
@@ -2,6 +2,7 @@ const Bot = require('../build');
 const express = require('express');
 const bodyParser = require('body-parser')
 const Promise = require('bluebird');
+const helmet = require('helmet');
 
 const JOKE = "Did you know photons had mass? I didn't even know they were Catholic.";
 const RiddleImageUrl ="http://tinyurl.com/he9tsph";
@@ -164,6 +165,7 @@ function makeServer() {
   });
 
   const app = express();
+  app.use(helmet());
 
   app.use(bodyParser.json());
   app.use(bodyParser.urlencoded({extended: true}));
diff --git a/src/FBLocalChatRoutes.js b/src/FBLocalChatRoutes.js
index 139d663..6d3daba 100644
--- a/src/FBLocalChatRoutes.js
+++ b/src/FBLocalChatRoutes.js
@@ -8,6 +8,7 @@ import invariant from 'invariant';
 import fs from 'fs';
 import dot from 'dot';
 import path from 'path';
+import rateLimit from 'express-rate-limit';
 
 const FBLocalChatRoutes = (router: Router, Bot: Object): Router => {
   router.get('/localChat/getMessages', (req, res) => {
@@ -102,11 +103,16 @@ const FBLocalChatRoutes = (router: Router, Bot: Object): Router => {
     res.sendStatus(200);
   });
 
-  router.get('/localChat/*', (req, res) => {
+  const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100 // limit each IP to 100 requests per windowMs
+  });
+
+  router.get('/localChat/*', limiter, (req, res) => {
     const dir = path.join(path.dirname(__filename), '..', 'localChatWeb');
     var filePath = req.url.replace('/localChat', '');
     if (filePath !== '/') {
-      res.sendFile(filePath, {root: dir});
+      res.sendFile(path.join(dir, filePath)); // Sanitize file path
       return
     }
     const baseURL = req.baseUrl;
@@ -119,7 +125,7 @@ const FBLocalChatRoutes = (router: Router, Bot: Object): Router => {
         return;
       }
       var tempFn = dot.template(data);
-      res.send(tempFn({baseURL}));
+      res.send(tempFn({baseURL: encodeURIComponent(baseURL)})); // Sanitize baseURL
     });
   });
 
diff --git a/src/index.js b/src/index.js
index 28f1524..5eb799f 100644
--- a/src/index.js
+++ b/src/index.js
@@ -79,7 +79,9 @@ class Bot extends EventEmitter {
     });
 
     router.post('/', (req, res) => {
-      this.handleMessage(req.body);
+      if (typeof req.body === 'object' && req.body !== null) {
+        this.handleMessage(req.body);
+      }
       res.sendStatus(200);
     });