diff --git a/packages/desktop/src/protocol.rs b/packages/desktop/src/protocol.rs
index 44081ccac..bd8bb3d84 100644
--- a/packages/desktop/src/protocol.rs
+++ b/packages/desktop/src/protocol.rs
@@ -22,10 +22,17 @@ pub(super) fn desktop_handler(request: &Request, asset_root: Option<PathBuf>) ->
             .body(dioxus_interpreter_js::INTERPRETER_JS.as_bytes().to_vec())
     } else {
         let asset_root = asset_root
-            .unwrap_or_else(|| get_asset_root().unwrap_or_else(|| Path::new(".").to_path_buf()));
+            .unwrap_or_else(|| get_asset_root().unwrap_or_else(|| Path::new(".").to_path_buf()))
+            .canonicalize()?;
 
         let asset = asset_root.join(trimmed).canonicalize()?;
 
+        if !asset.starts_with(asset_root) {
+            return ResponseBuilder::new()
+                .status(StatusCode::FORBIDDEN)
+                .body(String::from("Forbidden").into_bytes());
+        }
+
         if !asset.exists() {
             return ResponseBuilder::new()
                 .status(StatusCode::NOT_FOUND)