diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java
index ce63e5359f000d67a1f08ad91c022a592b11776b..f450682cd0731051e06ffa6ed247a34f5e66b82b 100644
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java
@@ -811,11 +811,14 @@ public class I2PTunnelHTTPClient extends I2PTunnelClientBase implements Runnable
      *  but inproxy/gateway ops would be wise to block proxy.i2p to prevent
      *  exposing the docs/ directory or perhaps other issues through
      *  uncaught vulnerabilities.
+     *  Restrict to the /themes/ directory for now.
      *
-     *  @param targetRequest "proxy.i2p/foo.png HTTP/1.1"
+     *  @param targetRequest "proxy.i2p/themes/foo.png HTTP/1.1"
      */
     private static void serveLocalFile(OutputStream out, String method, String targetRequest) {
-        if (method.equals("GET") || method.equals("HEAD")) {
+        if ((method.equals("GET") || method.equals("HEAD")) &&
+            targetRequest.startsWith("proxy.i2p/themes/") &&
+            !targetRequest.contains("..")) {
             int space = targetRequest.indexOf(' ');
             String filename = null;
             try {