diff --git a/public/index.php b/public/index.php
index 7329d7b..89e08d9 100644
--- a/public/index.php
+++ b/public/index.php
@@ -131,11 +131,15 @@ CSRF::init(
 $router = $msz->createRouting();
 $msz->startTemplating();
 
-$mszRequestPath = $request->getPath();
+$mszRequestPath = substr($request->getPath(), 1);
 $mszLegacyPathPrefix = MSZ_PUBLIC . '-legacy/';
-$mszLegacyPath = realpath($mszLegacyPathPrefix . $mszRequestPath);
+$mszLegacyPath = $mszLegacyPathPrefix . $mszRequestPath;
 
 if(!empty($mszLegacyPath) && str_starts_with($mszLegacyPath, $mszLegacyPathPrefix)) {
+    $mszLegacyPathReal = realpath($mszLegacyPath);
+    if($mszLegacyPath !== $mszLegacyPathReal && $mszLegacyPath !== $mszLegacyPathReal . '/')
+        Template::throwError(404);
+
     if(str_starts_with($mszRequestPath, '/manage') && !$msz->hasManageAccess())
         Template::throwError(403);