diff --git a/towers/fiefdom.py b/towers/fiefdom.py
index 0d1ad6c..8f6f6b7 100644
--- a/towers/fiefdom.py
+++ b/towers/fiefdom.py
@@ -1,3 +1,5 @@
+import pathlib
+
 hooks = ["http.*:\/\/$HOST\/~.*"]
 
 def run(ctx, r):
@@ -12,7 +14,15 @@ def run(ctx, r):
         }
     
     requested = "/index.html" if route == "/" else route
-    try: f = open(f"/home/{user}/.web/{requested}").read()
+    requested = f"/home/{user}/.web/{requested}"
+
+    if not(str(pathlib.Path(requested).resolve()).startswith(f"/home/{user}/.web/")):
+        return {
+            "body": f"<h3>403! illegal path!</h3><br>you are not allowed access to {requested}!", 
+            "status": 403, "content_type": "text/html"
+        }
+
+    try: f = open(requested).read()
     except:
         return {
             "body": f"<h3>404! no such path {requested}</h3><br>double check the path exists in your <b>~/.web</b> directory!",