diff --git a/fri/server/main.py b/fri/server/main.py
index c2e1e659..90dfd7a0 100644
--- a/fri/server/main.py
+++ b/fri/server/main.py
@@ -433,6 +433,11 @@ def download(dir):
     if not download_file:
         abort(400, description="Missing file parameter")
 
+    download_file = secure_filename(download_file)
+
+    if download_file == "":
+        abort(400, description="Invalid filename")
+
     # Normalize the requested file path
     safe_path = os.path.normpath(download_file)