diff --git a/lib/pact_broker/app.rb b/lib/pact_broker/app.rb
index 05b104866..c029f8ac2 100644
--- a/lib/pact_broker/app.rb
+++ b/lib/pact_broker/app.rb
@@ -78,7 +78,7 @@ def prepare_app
     end
 
     def configure_middleware
-      @app_builder.use Rack::Protection, except: [:remote_token, :session_hijacking, :http_origin]
+      @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::AddPactBrokerVersionHeader
       @app_builder.use Rack::Static, :urls => ["/stylesheets", "/css", "/fonts", "/js", "/javascripts", "/images"], :root => PactBroker.project_root.join("public")
diff --git a/spec/integration/app_spec.rb b/spec/integration/app_spec.rb
index 231ddcaf1..e3bdeecea 100644
--- a/spec/integration/app_spec.rb
+++ b/spec/integration/app_spec.rb
@@ -187,5 +187,15 @@ module PactBroker
         expect(last_response.status).to eq 404
       end
     end
+
+    describe "when a resource identifier contains a slash" do
+      let(:path) { "/pacticipants/Foo/versions/1.2.3/tags/feat%2Fbar" }
+
+      subject { put path, nil, {'CONTENT_TYPE' => 'application/json'}; last_response }
+
+      it "returns a success status" do
+        expect(subject.status).to eq 201
+      end
+    end
   end
 end