diff --git a/CHANGELOG.md b/CHANGELOG.md
index 663779dd..b0f823e3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - Spelling mistake fixed in German lang file ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/370))
 - Backup failure warning (Tab text goes red) ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/373))
 - Rework server list on dashboard display for use on small screens ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/372))
+- File handling enhancements ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/362))
 <br><br>
 
 ## --- [4.0.3] - 2022/06/18
diff --git a/app/classes/shared/helpers.py b/app/classes/shared/helpers.py
index 6d94854c..4273c38f 100644
--- a/app/classes/shared/helpers.py
+++ b/app/classes/shared/helpers.py
@@ -144,7 +144,8 @@ class Helpers:
     @staticmethod
     def check_file_perms(path):
         try:
-            open(path, "r", encoding="utf-8").close()
+            with open(path, "r", encoding="utf-8"):
+                pass
             logger.info(f"{path} is readable")
             return True
         except PermissionError:
@@ -480,7 +481,8 @@ class Helpers:
     def check_writeable(path: str):
         filename = os.path.join(path, "tempfile.txt")
         try:
-            open(filename, "w", encoding="utf-8").close()
+            with open(filename, "w", encoding="utf-8"):
+                pass
             os.remove(filename)
 
             logger.info(f"{filename} is writable")
@@ -518,7 +520,8 @@ class Helpers:
 
         # ensure the log file is there
         try:
-            open(log_file, "a", encoding="utf-8").close()
+            with open(log_file, "a", encoding="utf-8"):
+                pass
         except Exception as e:
             Console.critical(f"Unable to open log file! {e}")
             sys.exit(1)
@@ -648,7 +651,7 @@ class Helpers:
 
         session_data = {"pid": pid, "started": now.strftime("%d-%m-%Y, %H:%M:%S")}
         with open(self.session_file, "w", encoding="utf-8") as f:
-            json.dump(session_data, f, indent=True)
+            json.dump(session_data, f, indent=4)
 
     # because this is a recursive function, we will return bytes,
     # and set human readable later
@@ -782,13 +785,15 @@ class Helpers:
         cert.set_version(2)
         cert.sign(k, "sha256")
 
-        f = open(cert_file, "w", encoding="utf-8")
-        f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode())
-        f.close()
+        with open(cert_file, "w", encoding="utf-8") as cert_file_handle:
+            cert_file_handle.write(
+                crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()
+            )
 
-        f = open(key_file, "w", encoding="utf-8")
-        f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode())
-        f.close()
+        with open(key_file, "w", encoding="utf-8") as key_file_handle:
+            key_file_handle.write(
+                crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode()
+            )
 
     @staticmethod
     def random_string_generator(size=6, chars=string.ascii_uppercase + string.digits):
@@ -1007,7 +1012,8 @@ class Helpers:
             return False
 
         try:
-            open(jar_path, "wb").write(response.content)
+            with open(jar_path, "wb") as jar_file:
+                jar_file.write(response.content)
         except Exception as e:
             logger.error("Unable to finish executable download. Error: %s", e)
             return False
diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py
index 74b4c63a..07317ff2 100644
--- a/app/classes/shared/server.py
+++ b/app/classes/shared/server.py
@@ -802,10 +802,9 @@ class ServerInstance:
         self.server_scheduler.remove_job("c_" + str(self.server_id))
 
     def agree_eula(self, user_id):
-        file = os.path.join(self.server_path, "eula.txt")
-        f = open(file, "w", encoding="utf-8")
-        f.write("eula=true")
-        f.close()
+        eula_file = os.path.join(self.server_path, "eula.txt")
+        with open(eula_file, "w", encoding="utf-8") as f:
+            f.write("eula=true")
         self.run_threaded_server(user_id)
 
     def backup_server(self):
diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py
index f8451522..8f44749f 100644
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@@ -1511,6 +1511,17 @@ class PanelHandler(BaseHandler):
             max_backups = bleach.clean(self.get_argument("max_backups", None))
 
             server_obj = self.controller.servers.get_server_obj(server_id)
+            if (
+                not backup_path
+                == self.helper.wtol_path(
+                    os.path.join(self.helper.backup_path, server_obj.server_uuid)
+                )
+                and self.helper.wtol_path(self.controller.project_root) in backup_path
+            ):
+                self.redirect(
+                    "/panel/error?error=Nefarious activities detected."
+                    " User attempted to make backup path within Crafty's root."
+                )
             server_obj.backup_path = backup_path
             self.controller.servers.update_server(server_obj)
             self.controller.management.set_backup_config(