diff --git a/packages/server/src/gzip.js b/packages/server/src/gzip.js
index 1e15cf2..f684738 100644
--- a/packages/server/src/gzip.js
+++ b/packages/server/src/gzip.js
@@ -22,7 +22,8 @@ function gzip(request, response) {
     writeHead.call(response, myStatusCode, {
       ...myHeaders,
       "Content-Encoding": "gzip",
-      "Content-Length": compressedBuffer.length
+      "Content-Length": compressedBuffer.length,
+      "Content-Security-Policy": "default-src 'self'; img-src 'self' data:"
     });
     write.call(response, compressedBuffer, dataType);
     end.call(response);
diff --git a/packages/server/src/httpServer.js b/packages/server/src/httpServer.js
index e777e73..7920a62 100644
--- a/packages/server/src/httpServer.js
+++ b/packages/server/src/httpServer.js
@@ -242,7 +242,7 @@ class HttpServer {
     }
     let filePath = path.join(this.webFolderPath, uri);
     fs.exists(filePath, exists => {
-      if (!exists) {
+      if (!exists || filePath.indexOf(this.webFolderPath) !== 0) {
         response.writeHead(404);
         response.write("Not found");
         response.end();