diff --git a/src/storage/filesystem.js b/src/storage/filesystem.js
index fb309425c..960b54a2b 100644
--- a/src/storage/filesystem.js
+++ b/src/storage/filesystem.js
@@ -229,7 +229,7 @@ function removeDir(apiConfig, pathPrefix) {
 function validateBackupTarget(folder) {
     assert.strictEqual(typeof folder, 'string');
 
-    if (path.normalize(folder) !== folder) return new BoxError(BoxError.BAD_FIELD, 'backupFolder must contain a normalized relative path', { field: 'backupFolder' });
+    if (path.normalize(folder) !== folder) return new BoxError(BoxError.BAD_FIELD, 'backupFolder must contain a normalized path', { field: 'backupFolder' });
     if (!path.isAbsolute(folder)) return new BoxError(BoxError.BAD_FIELD, 'backupFolder must be an absolute path', { field: 'backupFolder' });
 
     if (folder === '/') return new BoxError(BoxError.BAD_FIELD, 'backupFolder cannot be /', { field: 'backupFolder' });
diff --git a/src/volumes.js b/src/volumes.js
index f7ea25dab..159cce277 100644
--- a/src/volumes.js
+++ b/src/volumes.js
@@ -11,6 +11,7 @@ const assert = require('assert'),
     BoxError = require('./boxerror.js'),
     debug = require('debug')('box:volumes'),
     eventlog = require('./eventlog.js'),
+    path = require('path'),
     sftp = require('./sftp.js'),
     uuid = require('uuid'),
     volumedb = require('./volumedb.js');
@@ -26,7 +27,15 @@ function validateName(name) {
 function validateHostPath(hostPath) {
     assert.strictEqual(typeof hostPath, 'string');
 
-    if (!hostPath.startsWith('/mnt') && !hostPath.startsWith('/media')) return new BoxError(BoxError.BAD_FIELD, 'hostPath must be in /mnt or /media');
+    if (path.normalize(hostPath) !== hostPath) return new BoxError(BoxError.BAD_FIELD, 'hostPath must contain a normalized path', { field: 'hostPath' });
+    if (!path.isAbsolute(hostPath)) return new BoxError(BoxError.BAD_FIELD, 'backupFolder must be an absolute path', { field: 'hostPath' });
+
+    if (hostPath === '/') return new BoxError(BoxError.BAD_FIELD, 'hostPath cannot be /', { field: 'hostPath' });
+
+    if (!hostPath.endsWith('/')) hostPath = hostPath + '/'; // ensure trailing slash for the prefix matching to work
+    const allowedPaths = [ '/mnt/', '/media/', '/srv/', '/opt/' ];
+
+    if (!allowedPaths.some(p => hostPath.startsWith(p))) return new BoxError(BoxError.BAD_FIELD, 'hostPath must be under /mnt, /media, /opt or /srv', { field: 'hostPath' });
 
     return null;
 }