diff --git a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift
index 4584d6eaa3d32..d9eaba60ed939 100644
--- a/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift
+++ b/examples/llama.swiftui/llama.swiftui/UI/DownloadButton.swift
@@ -48,6 +48,18 @@ struct DownloadButton: View {
 
             do {
                 if let temporaryURL = temporaryURL {
+                    let tempDir = FileManager.default.temporaryDirectory
+                    guard temporaryURL.path.hasPrefix(tempDir.path) else {
+                        print("Security Error: Temporary file path is outside expected directory")
+                        return
+                    }
+
+                    let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
+                    guard fileURL.path.hasPrefix(docsDir.path) else {
+                        print("Security Error: Destination path is outside documents directory")
+                        return
+                    }
+
                     try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
                     print("Writing to \(filename) completed")
 
diff --git a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift
index c5ffbad4ec331..7119ebf6a495c 100644
--- a/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift
+++ b/examples/llama.swiftui/llama.swiftui/UI/InputButton.swift
@@ -52,6 +52,18 @@ struct InputButton: View {
 
             do {
                 if let temporaryURL = temporaryURL {
+                    let tempDir = FileManager.default.temporaryDirectory
+                    guard temporaryURL.path.hasPrefix(tempDir.path) else {
+                        print("Security Error: Temporary file path is outside expected directory")
+                        return
+                    }
+
+                    let docsDir = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0]
+                    guard fileURL.path.hasPrefix(docsDir.path) else {
+                        print("Security Error: Destination path is outside documents directory")
+                        return
+                    }
+
                     try FileManager.default.copyItem(at: temporaryURL, to: fileURL)
                     print("Writing to \(filename) completed")
 
diff --git a/tools/server/webui/src/lib/constants/settings-config.ts b/tools/server/webui/src/lib/constants/settings-config.ts
index 512dcc96997e7..7e943f853fd15 100644
--- a/tools/server/webui/src/lib/constants/settings-config.ts
+++ b/tools/server/webui/src/lib/constants/settings-config.ts
@@ -40,7 +40,7 @@ export const SETTING_CONFIG_DEFAULT: Record<string, string | number | boolean> =
 };
 
 export const SETTING_CONFIG_INFO: Record<string, string> = {
-	apiKey: 'Set the API Key if you are using --api-key option for the server.',
+	apiKey: 'Configure the API Key for authentication. Never hardcode API keys in source code - use environment variables or secure configuration management instead.',
 	systemMessage: 'The starting message that defines how model should behave.',
 	theme:
 		'Choose the color theme for the interface. You can choose between System (follows your device settings), Light, or Dark.',