diff --git a/src/volumes.js b/src/volumes.js
index 1ab6ae0b4..12f75d3a4 100644
--- a/src/volumes.js
+++ b/src/volumes.js
@@ -56,13 +56,11 @@ function validateHostPath(hostPath, mountType) {
 
     if (hostPath === '/') return new BoxError(BoxError.BAD_FIELD, 'hostPath cannot be /');
 
-    if (!hostPath.endsWith('/')) hostPath = hostPath + '/'; // ensure trailing slash for the prefix matching to work
+    const allowedPaths = [ '/mnt', '/media', '/srv', '/opt' ];
+    if (!allowedPaths.some(p => hostPath === p || hostPath.startsWith(p + '/'))) return new BoxError(BoxError.BAD_FIELD, 'hostPath must be under /mnt, /media, /opt or /srv');
 
-    const allowedPaths = [ '/mnt/', '/media/', '/srv/', '/opt/' ];
-    if (!allowedPaths.some(p => hostPath.startsWith(p))) return new BoxError(BoxError.BAD_FIELD, 'hostPath must be under /mnt, /media, /opt or /srv');
-
-    const reservedPaths = [ `${paths.VOLUMES_MOUNT_DIR}/` ];
-    if (reservedPaths.some(p => hostPath.startsWith(p))) return new BoxError(BoxError.BAD_FIELD, 'hostPath is reserved');
+    const reservedPaths = [ `${paths.VOLUMES_MOUNT_DIR}` ];
+    if (reservedPaths.some(p => hostPath === p || hostPath.startsWith(p + '/'))) return new BoxError(BoxError.BAD_FIELD, 'hostPath is reserved');
 
     if (!constants.TEST) { // we expect user to have already mounted this
         const stat = safe.fs.lstatSync(hostPath);