Bajahaw · Bajahaw · Mar 25, 2026 · Mar 25, 2026 · Bajahaw
diff --git a/backend/cmd/main.go b/backend/cmd/main.go
@@ -16,6 +16,7 @@
 	"net/http"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"syscall"
 	"time"
 
@@ -126,13 +127,33 @@
 }
 
 func (h spaHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	path := "." + r.URL.Path
-	if _, err := os.Stat(h.staticDir + "/" + r.URL.Path); os.IsNotExist(err) {
+	staticAbs, err := filepath.Abs(h.staticDir)
+	if err != nil {
+		// If we cannot resolve the static directory, fall back to the SPA shell.
+		http.ServeFile(w, r, h.staticDir+"/index.html")
+		return
+	}
+
+	requestedPath := filepath.Join(staticAbs, r.URL.Path)
+	requestedAbs, err := filepath.Abs(requestedPath)
+	if err != nil {
+		// On error resolving the requested path, fall back to the SPA shell.
+		http.ServeFile(w, r, h.staticDir+"/index.html")
+		return
+	}
+
+	// Ensure the requested path is within the static directory to prevent directory traversal.
+	if len(requestedAbs) < len(staticAbs) || requestedAbs[:len(staticAbs)] != staticAbs {
+		http.ServeFile(w, r, h.staticDir+"/index.html")
+		return
+	}
+
+	if _, err := os.Stat(requestedAbs); os.IsNotExist(err) {
@@ -17,6 +17,7 @@
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"time"
@@ -130,27 +131,29 @@
 	staticAbs, err := filepath.Abs(h.staticDir)
 	if err != nil {
 		// If we cannot resolve the static directory, fall back to the SPA shell.
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, filepath.Join(h.staticDir, "index.html"))
 		return
 	}
+	indexFile := filepath.Join(staticAbs, "index.html")
+
 	requestedPath := filepath.Join(staticAbs, r.URL.Path)
 	requestedAbs, err := filepath.Abs(requestedPath)
 	if err != nil {
 		// On error resolving the requested path, fall back to the SPA shell.
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, indexFile)
 		return
 	}
 	// Ensure the requested path is within the static directory to prevent directory traversal.
-	if len(requestedAbs) < len(staticAbs) || requestedAbs[:len(staticAbs)] != staticAbs {
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+	if !(requestedAbs == staticAbs || strings.HasPrefix(requestedAbs, staticAbs+string(os.PathSeparator))) {
+		http.ServeFile(w, r, indexFile)
 		return
 	}
 	if _, err := os.Stat(requestedAbs); os.IsNotExist(err) {
 		// Not a real file – serve the SPA shell
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, indexFile)
 		return
 	}
@@ -17,6 +17,7 @@
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strings"
 	"syscall"
 	"time"

@@ -130,27 +131,29 @@
 	staticAbs, err := filepath.Abs(h.staticDir)
 	if err != nil {
 		// If we cannot resolve the static directory, fall back to the SPA shell.
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, filepath.Join(h.staticDir, "index.html"))
 		return
 	}

+	indexFile := filepath.Join(staticAbs, "index.html")
+
 	requestedPath := filepath.Join(staticAbs, r.URL.Path)
 	requestedAbs, err := filepath.Abs(requestedPath)
 	if err != nil {
 		// On error resolving the requested path, fall back to the SPA shell.
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, indexFile)
 		return
 	}

 	// Ensure the requested path is within the static directory to prevent directory traversal.
-	if len(requestedAbs) < len(staticAbs) || requestedAbs[:len(staticAbs)] != staticAbs {
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+	if !(requestedAbs == staticAbs || strings.HasPrefix(requestedAbs, staticAbs+string(os.PathSeparator))) {
+		http.ServeFile(w, r, indexFile)
 		return
 	}

 	if _, err := os.Stat(requestedAbs); os.IsNotExist(err) {
 		// Not a real file – serve the SPA shell
-		http.ServeFile(w, r, h.staticDir+"/index.html")
+		http.ServeFile(w, r, indexFile)
 		return
 	}

 		// Not a real file – serve the SPA shell
 		http.ServeFile(w, r, h.staticDir+"/index.html")
 		return
 	}
-	_ = path
+
 	h.fs.ServeHTTP(w, r)
 }