diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index 8a784318a..60717301d 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -348,7 +348,7 @@ func (strict *StrictOptions) enforce(r *http.Request) error {
 
 	// Reject paths with // or ..
 	if strict == nil || !strict.LenientPaths {
-		if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") {
+		if strings.Contains(r.URL.Path, "//") || strings.Contains(r.URL.Path, "..") || strings.Contains(r.URL.Path, "\x00") {
 			return Error(http.StatusBadRequest, fmt.Errorf("invalid request path: %s", r.URL.RawPath))
 		}
 	}