diff --git a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
index 49d0ffd0d57bf7..c3d8ee9a9bf911 100644
--- a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -24,8 +24,8 @@ describe('main', () => {
     })
 
     test('unsafe fetch', async () => {
-      expect(await page.textContent('.unsafe-fetch')).toBe('')
-      expect(await page.textContent('.unsafe-fetch-status')).toBe('404') // TODO: should be 403
+      expect(await page.textContent('.unsafe-fetch')).toMatch('403 Restricted')
+      expect(await page.textContent('.unsafe-fetch-status')).toBe('403')
     })
 
     test('safe fs fetch', async () => {
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index f3dc8fe6fc3820..5a44a3d5303c7a 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -82,15 +82,12 @@ export function serveStaticMiddleware(
     }
 
     const resolvedUrl = redirected || url
-    const fileUrl = path.resolve(
-      dir,
-      resolvedUrl.startsWith('/') ? resolvedUrl.slice(1) : resolvedUrl
-    )
-    // TODO: should use ensureServingAccess(fileUrl, server), so we get a 403
-    if (!isFileServingAllowed(fileUrl, server)) {
-      return next()
+    let fileUrl = path.resolve(dir, resolvedUrl.replace(/^\//, ''))
+    if (resolvedUrl.endsWith('/') && !fileUrl.endsWith('/')) {
+      fileUrl = fileUrl + '/'
     }
-
+    ensureServingAccess(fileUrl, server)
+    
     if (redirected) {
       req.url = redirected
     }