diff --git a/app/Http/Controllers/DeviceController.php b/app/Http/Controllers/DeviceController.php
index 087407936b..b3e48ae54c 100644
--- a/app/Http/Controllers/DeviceController.php
+++ b/app/Http/Controllers/DeviceController.php
@@ -72,6 +72,12 @@ class DeviceController extends Controller
         if ($current_tab == 'port') {
             $vars = Url::parseLegacyPath($request->path());
             $port = Port::findOrFail($vars->get('port'));
+
+            // This prevents users from traversal device id's by piggybacking on the auth for the specified port
+            if ($port->device_id !== $device_id) {
+                abort(404);
+            }
+
             $this->authorize('view', $port);
         } else {
             $this->authorize('view', $device);
diff --git a/html/graph.php b/html/graph.php
index 4dd76f4dc1..dedad80c7c 100644
--- a/html/graph.php
+++ b/html/graph.php
@@ -17,9 +17,7 @@ $start = microtime(true);
 $init_modules = array('web', 'graphs', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-$auth = Auth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']);
-
-if (!$auth) {
+if (!(Auth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']))) {
     die('Unauthorized');
 }