--- a/services/clsi/app/js/StaticServerForbidSymlinks.js
+++ b/services/clsi/app/js/StaticServerForbidSymlinks.js
@@ -25,9 +25,13 @@ module.exports = ForbidSymlinks = function (staticFn, root, options) {
     let file, projectId, result
     const path = req.url
     // check that the path is of the form /project_id_or_name/path/to/file.log
-    if ((result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/))) {
+    if ((result = path.match(/^\/([a-zA-Z0-9_-]+)\/(.*)$/s))) {
       projectId = result[1]
       file = result[2]
+      if (path !== `/${projectId}/${file}`) {
+        logger.warn({ path }, 'unrecognized file request')
+        return res.sendStatus(404)
+      }
     } else {
       logger.warn({ path }, 'unrecognized file request')
       return res.sendStatus(404)