diff --git a/lib/server.js b/lib/server.js
index da16d0ac..d98c2310 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -61,15 +61,16 @@ module.exports = coroutine(function*(req, res, flags, current, ignoredFiles) {
   const assetDir = path.normalize(process.env.ASSET_DIR)
 
   let related = path.parse(path.join(current, pathname))
+  let assetRequest = false
 
   if (related.dir.indexOf(assetDir) > -1) {
+    assetRequest = true
     const relative = path.relative(assetDir, pathname)
     related = path.parse(path.join(__dirname, '/../assets', relative))
   }
 
   related = decodeURIComponent(path.format(related))
 
-  const relatedExists = yield fs.exists(related)
   let notFoundResponse = 'Not Found'
 
   try {
@@ -77,6 +78,11 @@ module.exports = coroutine(function*(req, res, flags, current, ignoredFiles) {
     notFoundResponse = yield fs.readFile(custom404Path, 'utf-8')
   } catch (err) {}
 
+  if (!assetRequest && related.indexOf(current) !== 0) {
+    return micro.send(res, 404, notFoundResponse)
+  }
+
+  const relatedExists = yield fs.exists(related)
   if (!relatedExists && flags.single === undefined) {
     return micro.send(res, 404, notFoundResponse)
   }