diff --git a/tools/serve-frontend.mjs b/tools/serve-frontend.mjs
index f8b40ce..6fb406c 100644
--- a/tools/serve-frontend.mjs
+++ b/tools/serve-frontend.mjs
@@ -1,10 +1,11 @@
 import { createServer } from 'http';
 import { readFile } from 'fs/promises';
-import { join, extname } from 'path';
+import path from 'path';
+const { join, extname, resolve } = path;
 import { fileURLToPath } from 'url';
 
 const __dirname = fileURLToPath(new URL('.', import.meta.url));
-const root = join(__dirname, '..', 'src', 'frontend');
+const root = resolve(join(__dirname, '..', 'src', 'frontend'));
 const PORT = 8474;
 
 const MIME = {
@@ -14,7 +15,14 @@
 };
 
 createServer(async (req, res) => {
-  let filePath = join(root, req.url === '/' ? 'index.html' : req.url);
+  const pathname = new URL(req.url, 'http://localhost').pathname;
+  const filePath = resolve(root, pathname === '/' ? 'index.html' : pathname.slice(1));
+  const rel = path.relative(root, filePath);
+  if (rel.startsWith('..') || path.isAbsolute(rel)) {
+    res.writeHead(403);
+    res.end('Forbidden');
+    return;
+  }
   try {
     const data = await readFile(filePath);
     res.writeHead(200, { 'Content-Type': MIME[extname(filePath)] || 'application/octet-stream' });
@@ -25,4 +33,4 @@
   }
 }).listen(PORT, '127.0.0.1', () => {
   console.log(`Frontend dev server ready on http://127.0.0.1:${PORT}`);
-});
+});
\ No newline at end of file