diff --git a/lib/providers/fs.js b/lib/providers/fs.js
index 0e5c622a..f2b0b5f2 100644
--- a/lib/providers/fs.js
+++ b/lib/providers/fs.js
@@ -68,7 +68,7 @@ module.exports = function(options) {
   return function(req, pathname) {
     pathname = decodeURI(pathname);
     // jumping to parent directories is not allowed
-    if (pathname.indexOf('../') >= 0) {
+    if (pathname.indexOf('../') >= 0 || pathname.indexOf('..\\') >= 0 || pathname.toLowerCase().indexOf('..%5c') >= 0) {
       return RSVP.resolve(null);
     }
 
diff --git a/test/unit/providers/fs.spec.js b/test/unit/providers/fs.spec.js
index 65b648a5..119bf612 100644
--- a/test/unit/providers/fs.spec.js
+++ b/test/unit/providers/fs.spec.js
@@ -44,6 +44,18 @@ describe('provider: fs', function() {
     });
   });
 
+  it('should return null if ../', function() {
+    return expect(fsp(opts)({}, '/../b/b.html')).to.eventually.be.null;
+  });
+
+  it('should return null if ..\\', function() {
+    return expect(fsp(opts)({}, '/..\\b\\b.html')).to.eventually.be.null;
+  });
+
+  it('should return null if ..%5c', function() {
+    return expect(fsp(opts)({}, '/..%5Cb%5cb.html')).to.eventually.be.null;
+  });
+
   it('should return null for a file that does not exist', function() {
     return expect(fsp(opts)({}, '/bogus.html')).to.eventually.be.null;
   });