diff --git a/lib/server.c b/lib/server.c
index 4b7078a2..51dd427d 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
 			break;
 		}
 
+	/* we insist on absolute paths */
+
+	if (uri_ptr[0] != '/') {
+		lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
+
+		goto bail_nuke_ah;
+	}
+
 	/* HTTP header had a content length? */
 
 	wsi->u.http.content_length = 0;
diff --git a/test-server/attack.sh b/test-server/attack.sh
index bd160006..f1a4e1bf 100755
--- a/test-server/attack.sh
+++ b/test-server/attack.sh
@@ -218,10 +218,17 @@ check
 echo
 echo "---- nonexistant file"
 rm -f /tmp/lwscap
-echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
 check media
 check
 
+echo
+echo "---- relative uri path"
+rm -f /tmp/lwscap
+echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check forbidden
+check
+
 echo
 echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
 rm -f /tmp/lwscap