diff --git a/include/config/config.h b/include/config/config.h
index 19f9303..a8ab02a 100644
--- a/include/config/config.h
+++ b/include/config/config.h
@@ -29,4 +29,6 @@ cws_config_s *cws_config_init(void);
 
 void cws_config_free(cws_config_s *config);
 
+cws_vhost_s *config_get_vhost(cws_config_s *config, char *host);
+
 #endif
diff --git a/src/config/config.c b/src/config/config.c
index 4179d12..0bb9995 100644
--- a/src/config/config.c
+++ b/src/config/config.c
@@ -173,3 +173,15 @@ void cws_config_free(cws_config_s *config) {
 		free(config);
 	}
 }
+
+cws_vhost_s *config_get_vhost(cws_config_s *config, char *host) {
+	for (unsigned i = 0; i < config->virtual_hosts_count; ++i) {
+		cws_vhost_s *vh = config->virtual_hosts;
+		if (!strcmp(vh[i].domain, host)) {
+			return &vh[i];
+		}
+	}
+
+	/* Return default domain */
+	return config->default_vh;
+}
diff --git a/src/core/worker.c b/src/core/worker.c
index 3920428..7d1d84c 100644
--- a/src/core/worker.c
+++ b/src/core/worker.c
@@ -28,18 +28,6 @@ static void worker_close_client(int epfd, int client_fd) {
 	close(client_fd);
 }
 
-static cws_vhost_s *get_vhost(cws_config_s *config, char *host) {
-	for (unsigned i = 0; i < config->virtual_hosts_count; ++i) {
-		cws_vhost_s *vh = config->virtual_hosts;
-		if (!strcmp(vh[i].domain, host)) {
-			return &vh[i];
-		}
-	}
-
-	/* Return default domain */
-	return config->default_vh;
-}
-
 static cws_return worker_handle_client_data(int epfd, int client_fd, cws_config_s *config) {
 	string_s *data = string_new("", 4096);
 
@@ -78,7 +66,7 @@ static cws_return worker_handle_client_data(int epfd, int client_fd, cws_config_
 
 	/* Configure handler */
 	char *host = cws_request_get_header(request, "host");
-	cws_vhost_s *vh = get_vhost(config, host);
+	cws_vhost_s *vh = config_get_vhost(config, host);
 	cws_handler_config_s conf = {
 		.domain = vh->domain,
 		.root = vh->root,
diff --git a/src/http/handler.c b/src/http/handler.c
index 755571f..fa41d21 100644
--- a/src/http/handler.c
+++ b/src/http/handler.c
@@ -1,21 +1,33 @@
 #include "http/handler.h"
+#include "config/config.h"
 #include "utils/debug.h"
 #include <myclib/mystring.h>
 #include <string.h>
 #include <sys/stat.h>
 
 /* Sanitize and resolve file path */
-/* @TODO: fix path traversal */
 static string_s *resolve_file_path(const char *url_path, cws_handler_config_s *config) {
 	string_s *full_path = string_new(config->root, 256);
+	if (!full_path) {
+		return NULL;
+	}
 
 	if (strcmp(url_path, "/") == 0) {
 		string_append(full_path, "/");
-		/* Use vhost index file */
+		/* @TODO: Use vhost index file */
 		string_append(full_path, "index.html");
 		return full_path;
 	}
 
+	string_s *url_path_string = string_new(url_path, 0);
+	if (!url_path_string) {
+		return NULL;
+	}
+
+	if (string_find(url_path_string, "..")) {
+		return full_path;
+	}
+
 	string_append(full_path, url_path);
 
 	return full_path;
@@ -43,6 +55,8 @@ cws_response_s *cws_handler_static_file(cws_request_s *request, cws_handler_conf
 		return cws_handler_not_implemented();
 	}
 
+	/* @TODO: use config_get_vhost */
+	// cws_vhost_s *vhost = config_get_vhost(, request->host);
 	string_s *filepath = resolve_file_path(string_cstr(request->path), config);
 	const char *path = string_cstr(filepath);