diff --git a/docs/config/index.md b/docs/config/index.md
index 6bb9836e69094d..82519221acee4d 100644
--- a/docs/config/index.md
+++ b/docs/config/index.md
@@ -593,6 +593,15 @@ createServer()
   })
   ```
 
+### server.fs.deny
+
+- **Experimental**
+- **Type:** `string[]`
+
+  Blocklist for sensitive files being restricted to be served by Vite dev server.
+
+  Default to `['.env', '.env.*', '*.{pem,crt}']`.
+
 ### server.origin
 
 - **Type:** `string`
diff --git a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
index c3d8ee9a9bf911..263bcabad5e41f 100644
--- a/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
+++ b/packages/playground/fs-serve/__tests__/fs-serve.spec.ts
@@ -41,6 +41,15 @@ describe('main', () => {
     test('nested entry', async () => {
       expect(await page.textContent('.nested-entry')).toBe('foobar')
     })
+
+    test('nested entry', async () => {
+      expect(await page.textContent('.nested-entry')).toBe('foobar')
+    })
+  
+    test('denied', async () => {
+      expect(await page.textContent('.unsafe-dotenv')).toBe('403')
+      expect(await page.textContent('.safe-root-file')).toBe('200')
+    })
   } else {
     test('dummy test to make jest happy', async () => {
       // Your test suite must contain at least one test.
diff --git a/packages/playground/fs-serve/root/src/index.html b/packages/playground/fs-serve/root/src/index.html
index 67a2371c6b27fb..b1e93e292d12eb 100644
--- a/packages/playground/fs-serve/root/src/index.html
+++ b/packages/playground/fs-serve/root/src/index.html
@@ -23,6 +23,10 @@ <h2>Unsafe /@fs/ Fetch</h2>
 <h2>Nested Entry</h2>
 <pre class="nested-entry"></pre>
 
+<h2>Denied</h2>
+<pre class="unsafe-dotenv"></pre>
+<pre class="safe-root-file"></pre>
+
 <script type="module">
   import '../../entry'
   import json, { msg } from '../../safe.json'
@@ -76,6 +80,24 @@ <h2>Nested Entry</h2>
       console.error(e)
     })
 
+  // .env, denied by default
+  fetch('/@fs/' + ROOT + '/root/.env')
+    .then((r) => {
+      text('.unsafe-dotenv', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
+  // other files under the root, ok
+  fetch('/@fs/' + ROOT + '/root/vite.config.js')
+    .then((r) => {
+      text('.safe-root-file', r.status)
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   function text(sel, text) {
     document.querySelector(sel).textContent = text
   }
diff --git a/packages/vite/src/node/server/index.ts b/packages/vite/src/node/server/index.ts
index 42a1b1b5601bdb..7a3ad551fbc7d6 100644
--- a/packages/vite/src/node/server/index.ts
+++ b/packages/vite/src/node/server/index.ts
@@ -162,6 +162,18 @@ export interface FileSystemServeOptions {
    * @experimental
    */
   allow?: string[]
+
+  /**
+   * Restrict accessing files that matches the patterns.
+   *
+   * This will have higher priority than `allow`.
+   * Glob patterns are supported.
+   *
+   * @default ['.env', '.env.*', '*.crt', '*.pem']
+   *
+   * @experimental
+   */
+  deny?: string[]
 }
 
 /**
@@ -690,6 +702,7 @@ export function resolveServerOptions(
 ): ResolvedServerOptions {
   const server = raw || {}
   let allowDirs = server.fs?.allow
+  const deny = server.fs?.deny || ['.env', '.env.*', '*.{crt,pem}']
 
   if (!allowDirs) {
     allowDirs = [searchForWorkspaceRoot(root)]
@@ -706,7 +719,8 @@ export function resolveServerOptions(
   server.fs = {
     // TODO: make strict by default
     strict: server.fs?.strict,
-    allow: allowDirs
+    allow: allowDirs,
+    deny
   }
   return server as ResolvedServerOptions
 }
diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts
index 4132b0d39fe3a3..a8b8f201a474d5 100644
--- a/packages/vite/src/node/server/middlewares/static.ts
+++ b/packages/vite/src/node/server/middlewares/static.ts
@@ -12,6 +12,7 @@ import {
   isWindows,
   slash
 } from '../../utils'
+import match from 'minimatch'
 import { AccessRestrictedError } from './error'
 
 const sirvOptions: Options = {
@@ -122,6 +123,8 @@ export function serveRawFsMiddleware(
   }
 }
 
+const _matchOptions = { matchBase: true }
+
 export function isFileServingAllowed(
   url: string,
   server: ViteDevServer
@@ -131,6 +134,9 @@ export function isFileServingAllowed(
 
   const file = ensureLeadingSlash(normalizePath(cleanUrl(url)))
 
+  if (server.config.server.fs.deny.some((i) => match(file, i, _matchOptions)))
+    return false
+
   if (server.moduleGraph.safeModulesPath.has(file)) return true
 
   if (server.config.server.fs.allow.some((i) => file.startsWith(i + '/')))
diff --git a/packages/vite/types/shims.d.ts b/packages/vite/types/shims.d.ts
index 80a251b3f3b704..a351f6bfc81092 100644
--- a/packages/vite/types/shims.d.ts
+++ b/packages/vite/types/shims.d.ts
@@ -96,7 +96,11 @@ declare module 'rollup-plugin-web-worker-loader' {
 }
 
 declare module 'minimatch' {
-  function match(path: string, pattern: string): boolean
+  function match(
+    path: string,
+    pattern: string,
+    options?: { matchBase?: boolean }
+  ): boolean
   export default match
 }