diff --git a/internal/service/file.go b/internal/service/file.go
index b3809d9e..a23c4184 100644
--- a/internal/service/file.go
+++ b/internal/service/file.go
@@ -17,6 +17,7 @@ import (
 	"github.com/go-rat/chix"
 	"github.com/spf13/cast"
 
+	"github.com/TheTNB/panel/internal/app"
 	"github.com/TheTNB/panel/internal/biz"
 	"github.com/TheTNB/panel/internal/data"
 	"github.com/TheTNB/panel/internal/http/request"
@@ -117,6 +118,12 @@ func (s *FileService) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	banned := []string{"/", app.Root, filepath.Join(app.Root, "server"), filepath.Join(app.Root, "panel")}
+	if slices.Contains(banned, req.Path) {
+		Error(w, http.StatusForbidden, "please don't do this")
+		return
+	}
+
 	if err = io.Remove(req.Path); err != nil {
 		Error(w, http.StatusInternalServerError, "%v", err)
 		return