diff --git a/nextflow/src/org/labkey/nextflow/NextFlowController.java b/nextflow/src/org/labkey/nextflow/NextFlowController.java
index f3adaef1..25075ab2 100644
--- a/nextflow/src/org/labkey/nextflow/NextFlowController.java
+++ b/nextflow/src/org/labkey/nextflow/NextFlowController.java
@@ -45,6 +45,7 @@
 import org.springframework.web.servlet.ModelAndView;
 
 import java.io.File;
+import java.nio.file.InvalidPathException;
 import java.util.Arrays;
 import java.util.List;
 
@@ -223,6 +224,10 @@ public ModelAndView getView(EnabledForm form, boolean reshow, BindException erro
         @Override
         public boolean handlePost(EnabledForm form, BindException errors)
         {
+            if (!getUser().hasSiteAdminPermission())
+            {
+                throw new UnauthorizedException();
+            }
             NextFlowManager.get().saveEnabledState(getContainer(), form.getEnabled());
             return true;
         }
@@ -257,6 +262,10 @@ public void validateCommand(AnalyzeForm o, Errors errors)
             {
                 errors.reject(ERROR_MSG, "NextFlow is not enabled");
             }
+            else if (NextFlowManager.get().getConfiguration() == null)
+            {
+                errors.reject(ERROR_MSG, "NextFlow has not been configured");
+            }
         }
 
         @Override
@@ -278,7 +287,7 @@ public ModelAndView getView(AnalyzeForm o, boolean b, BindException errors)
             }
 
             NextFlowConfiguration config = NextFlowManager.get().getConfiguration();
-            if (config.getNextFlowConfigFilePath() != null)
+            if (config != null && config.getNextFlowConfigFilePath() != null)
             {
                 File configDir = new File(config.getNextFlowConfigFilePath());
                 if (configDir.isDirectory())
@@ -311,8 +320,28 @@ public boolean handlePost(AnalyzeForm form, BindException errors) throws Excepti
             }
 
             NextFlowConfiguration config = NextFlowManager.get().getConfiguration();
+            if (config == null || config.getNextFlowConfigFilePath() == null)
+            {
+                errors.reject(ERROR_MSG, "NextFlow has not been configured");
+                return false;
+            }
+            if (StringUtils.isBlank(form.getConfigFile()))
+            {
+                errors.reject(ERROR_MSG, "No config file specified");
+                return false;
+            }
             File configDir = new File(config.getNextFlowConfigFilePath());
-            File configFile = FileUtil.appendPath(configDir, Path.parse(form.getConfigFile()));
+            File configFile;
+            try
+            {
+                // appendPath normalizes and enforces that the resolved path stays within configDir, rejecting traversal
+                configFile = FileUtil.appendPath(configDir, Path.parse(form.getConfigFile()));
+            }
+            catch (InvalidPathException e)
+            {
+                errors.reject(ERROR_MSG, "Invalid config file");
+                return false;
+            }
             if (!configFile.exists())
             {
                 errors.reject(ERROR_MSG, "Config file does not exist");