diff --git a/gns3server/compute/project.py b/gns3server/compute/project.py
index 1e5276cf..b9567c94 100644
--- a/gns3server/compute/project.py
+++ b/gns3server/compute/project.py
@@ -29,6 +29,7 @@ from .port_manager import PortManager
 from .notification_manager import NotificationManager
 from ..config import Config
 from ..utils.asyncio import wait_run_in_executor
+from ..utils.path import check_path_allowed
 
 
 import logging
@@ -122,6 +123,7 @@ class Project:
 
     @path.setter
     def path(self, path):
+        check_path_allowed(path)
 
         if hasattr(self, "_path"):
             if path != self._path and self.is_local() is False:
diff --git a/gns3server/controller/project.py b/gns3server/controller/project.py
index a421d103..26fe6cb3 100644
--- a/gns3server/controller/project.py
+++ b/gns3server/controller/project.py
@@ -25,6 +25,7 @@ from .vm import VM
 from .udp_link import UDPLink
 from ..notification_queue import NotificationQueue
 from ..config import Config
+from ..utils.path import check_path_allowed
 
 
 class Project:
@@ -48,7 +49,6 @@ class Project:
                 raise aiohttp.web.HTTPBadRequest(text="{} is not a valid UUID".format(project_id))
             self._id = project_id
 
-        #TODO: Security check if not locale
         if path is None:
             location = self._config().get("project_directory", self._get_default_project_directory())
             path = os.path.join(location, self._id)
@@ -81,6 +81,7 @@ class Project:
 
     @path.setter
     def path(self, path):
+        check_path_allowed(path)
         try:
             os.makedirs(path, exist_ok=True)
         except OSError as e:
diff --git a/gns3server/utils/path.py b/gns3server/utils/path.py
new file mode 100644
index 00000000..ebafe9fe
--- /dev/null
+++ b/gns3server/utils/path.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2016 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import aiohttp
+
+from ..config import Config
+
+
+def check_path_allowed(path):
+    """
+    If the server is non local raise an error if
+    the path is outside project directories
+
+    Raise a 403 in case of error
+    """
+
+    config = Config.instance().get_section_config("Server")
+    project_directory = config.get("project_directory")
+
+    if len(os.path.commonprefix([project_directory, path])) == len(project_directory):
+        return
+
+    if config.getboolean("local") is False:
+        raise aiohttp.web.HTTPForbidden(text="The path is not allowed")
diff --git a/tests/utils/test_path.py b/tests/utils/test_path.py
new file mode 100644
index 00000000..20bed40c
--- /dev/null
+++ b/tests/utils/test_path.py
@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2016 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import pytest
+import aiohttp
+
+from gns3server.utils.path import check_path_allowed
+
+
+def test_check_path_allowed(config, tmpdir):
+    config.set("Server", "local", False)
+    config.set("Server", "project_directory", str(tmpdir))
+    with pytest.raises(aiohttp.web.HTTPForbidden):
+        check_path_allowed("/private")
+
+    config.set("Server", "local", True)
+    check_path_allowed(str(tmpdir / "hello" / "world"))
+    check_path_allowed("/private")