diff --git a/frontend/scene-generator/config-loader.js b/frontend/scene-generator/config-loader.js
index fbafb92..b4199c6 100644
--- a/frontend/scene-generator/config-loader.js
+++ b/frontend/scene-generator/config-loader.js
@@ -64,8 +64,8 @@ function loadConfig() {
 
 function normalizeBaseUrl(url) {
   url = url.replace(/\/+$/, "");
-  if (!url.endsWith("/v1")) url = url + "/v1";
-  return url;
+  url = url.replace(/\/v1\/?$/, "");
+  return url + "/v1";
 }
 
 function getDefaults() {
diff --git a/frontend/scene-generator/server.js b/frontend/scene-generator/server.js
index 3d812a0..4594484 100644
--- a/frontend/scene-generator/server.js
+++ b/frontend/scene-generator/server.js
@@ -190,7 +190,13 @@ const server = http.createServer(async (req, res) => {
     } else if (pathname === "/" || pathname === "/index.html") {
       serveStatic(res, path.join(__dirname, "sg_scene_generator.html"));
     } else {
-      const filePath = path.join(__dirname, pathname);
+      const filePath = path.resolve(__dirname, pathname);
+      const resolvedDir = path.resolve(__dirname);
+      if (!filePath.startsWith(resolvedDir + path.sep) && filePath !== resolvedDir) {
+        res.writeHead(403, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Forbidden" }));
+        return;
+      }
       if (fs.existsSync(filePath) && fs.statSync(filePath).isFile()) {
         serveStatic(res, filePath);
       } else {