diff --git a/Core/RequestHandler.cs b/Core/RequestHandler.cs
index b93b551..b701d85 100644
--- a/Core/RequestHandler.cs
+++ b/Core/RequestHandler.cs
@@ -13,6 +13,7 @@
 using Mahi.Settings;
 using System.IO;
 using System.Runtime.InteropServices;
+using System.Text.RegularExpressions;
 
 namespace Mahi.Core
 {
@@ -60,7 +61,7 @@ public static void Process(HttpServer server)
 
 								if (config.RedirectErrorPage)
 								{
-									if (!config.ExtentionRequired && config.NotExtentionInUrl && page != null && page.EndsWith(".htmlua"))
+									if (!config.ExtentionRequired && config.NotExtentionInUrl && page != null && page.ToLower().EndsWith(".htmlua"))
 										page = page.Remove(page.Length - 7, 7);
 
 									response.StatusCode = 302;
@@ -159,12 +160,13 @@ static void HandleContext(HttpRequest request, HttpResponse response)
 			{
 				if (!File.Exists(filename))
 				{
-					if(Directory.Exists(filename))
+					if (Directory.Exists(filename))
 					{
 						string compareName = filename.ToLower();
 						if (!config.DirectoryBrowsing || compareName.StartsWith(modulesPath.ToLower().TrimEnd('\\')) ||
 							compareName.StartsWith(librariesPath.ToLower().TrimEnd('\\')) ||
-							compareName.StartsWith(controllersPath.ToLower().TrimEnd('\\')))
+							compareName.StartsWith(controllersPath.ToLower().TrimEnd('\\')) ||
+							IsFrobbidenPath(request.Uri.AbsolutePath))
 						{
 							response.StatusCode = 404;
 							return;
@@ -195,12 +197,13 @@ static void HandleContext(HttpRequest request, HttpResponse response)
 						return;
 					}
 				}
-				else if (!filename.EndsWith(".htmlua"))
+				else if (!filename.ToLower().EndsWith(".htmlua"))
 				{
 					string compareName = filename.ToLower();
 					if (compareName.StartsWith(modulesPath.ToLower().TrimEnd('\\')) ||
 						compareName.StartsWith(librariesPath.ToLower().TrimEnd('\\')) ||
-						compareName.StartsWith(controllersPath.ToLower().TrimEnd('\\')))
+						compareName.StartsWith(controllersPath.ToLower().TrimEnd('\\')) ||
+						IsFrobbidenPath(request.Uri.AbsolutePath))
 					{
 						response.StatusCode = 404;
 						return;
@@ -210,8 +213,8 @@ static void HandleContext(HttpRequest request, HttpResponse response)
 					response.ResponseStream.Write(File.ReadAllBytes(filename));
 					return;
 				}
-				else if ((config.ExtentionRequired && !request.Uri.AbsolutePath.EndsWith(".htmlua") || (!File.Exists(filename) && config.ExtentionRequired))
-					|| (!defaultPageFound && !config.ExtentionRequired && config.NotExtentionInUrl && request.Uri.AbsolutePath.EndsWith(".htmlua")))
+				else if ((config.ExtentionRequired && !request.Uri.AbsolutePath.ToLower().EndsWith(".htmlua") || (!File.Exists(filename) && config.ExtentionRequired))
+					|| (!defaultPageFound && !config.ExtentionRequired && config.NotExtentionInUrl && request.Uri.AbsolutePath.ToLower().EndsWith(".htmlua")))
 				{
 					response.StatusCode = 404;
 					LastError = new PageNotFoundException("url \"" + request.Uri.AbsolutePath + "\" not found!");
@@ -277,7 +280,7 @@ static void HandleException(Exception ex, HttpResponse response)
 
 				if (config.RedirectErrorPage)
 				{
-					if (!config.ExtentionRequired && config.NotExtentionInUrl && page.EndsWith(".htmlua"))
+					if (!config.ExtentionRequired && config.NotExtentionInUrl && page.ToLower().EndsWith(".htmlua"))
 						page = page.Remove(page.Length - 7, 7);
 
 					response.Headers.Add("Location", page);
@@ -290,7 +293,16 @@ static void HandleException(Exception ex, HttpResponse response)
 				.Replace("{DotnetVersion}", "dotnet " + Environment.Version.ToString()).Replace("{MahiVersion}", "Mahi " + Resources.Version)));
 		}
 
-		private static string CreateDirectoryBrowsintTable(string filename,string path)
+		private static bool IsFrobbidenPath(string absolutePath)
+		{
+			foreach (var path in AppConfig.Instance.FrobbidenPaths)
+				if (Regex.Match(absolutePath, path).Success)
+					return true;
+			//! may only `return false` is ok
+			return absolutePath.ToLower().EndsWith(".htmlua");
+		}
+
+		private static string CreateDirectoryBrowsintTable(string filename, string path)
 		{
 			StringBuilder sb = new StringBuilder();
 
@@ -308,7 +320,7 @@ private static string CreateDirectoryBrowsintTable(string filename,string path)
 			}
 
 			string[] files = Directory.GetFiles(filename);
-			foreach(var  file in files.Where(file => !Path.GetFileName(file).StartsWith(".")))
+			foreach (var file in files.Where(file => !Path.GetFileName(file).StartsWith(".") && !Path.GetFileName(file).ToLower().EndsWith(".htmlua")))
 			{
 				FileInfo info = new FileInfo(file);
 				string name = Path.GetFileName(file);
diff --git a/Settings/AppConfig.cs b/Settings/AppConfig.cs
index 9021e37..68e9913 100644
--- a/Settings/AppConfig.cs
+++ b/Settings/AppConfig.cs
@@ -20,6 +20,7 @@ public class AppConfig
 		public bool NotExtentionInUrl { get; set; }
 		public Dictionary<string, string> ConnectionStrings { get; set; }
 		public Dictionary<string, Route> Routes { get; set; }
+		public string[] FrobbidenPaths { get; internal set; }
 		public bool RedirectErrorPage { get; set; }
 		public Dictionary<string, string> ErrorPages { get; internal set; }
 		public Dictionary<string, string> HttpModules { get; internal set; }
@@ -38,6 +39,7 @@ public static AppConfig Instance
 			}
 		}
 
+
 		public static void LoadConfigs()
 		{
 			if (!File.Exists(_filename))
diff --git a/Settings/ConfigParser.cs b/Settings/ConfigParser.cs
index a9bb173..1333491 100644
--- a/Settings/ConfigParser.cs
+++ b/Settings/ConfigParser.cs
@@ -58,6 +58,9 @@ public static AppConfig ParseYaml(string yamlContent)
 					case "routes":
 						config.Routes = ReadRouteDictionary((YamlMappingNode)entry.Value);
 						break;
+					case "frobbidenpaths":
+						config.FrobbidenPaths = ReadStringArray((YamlSequenceNode)entry.Value);
+						break;
 					case "redirecterrorcode":
 						config.RedirectErrorPage = bool.Parse(((YamlScalarNode)entry.Value).Value);
 						break;