diff --git a/datasette/utils/asgi.py b/datasette/utils/asgi.py
index ed3138d0..df358240 100644
--- a/datasette/utils/asgi.py
+++ b/datasette/utils/asgi.py
@@ -328,6 +328,9 @@ def asgi_static(root_path, chunk_size=4096, headers=None, content_type=None):
         except FileNotFoundError:
             await asgi_send_html(send, "404", 404)
             return
+        if full_path.is_dir():
+            await asgi_send_html(send, "403: Directory listing is not allowed", 403)
+            return
         # Ensure full_path is within root_path to avoid weird "../" tricks
         try:
             full_path.relative_to(root_path)
diff --git a/tests/test_config_dir.py b/tests/test_config_dir.py
index 24c96a2b..e495b9d3 100644
--- a/tests/test_config_dir.py
+++ b/tests/test_config_dir.py
@@ -114,6 +114,12 @@ def test_static(config_dir_client):
     assert "text/css" == response.headers["content-type"]
 
 
+def test_static_directory_browsing_not_allowed(config_dir_client):
+    response = config_dir_client.get("/static/")
+    assert 403 == response.status
+    assert "403: Directory listing is not allowed" == response.text
+
+
 def test_databases(config_dir_client):
     response = config_dir_client.get("/-/databases.json")
     assert 200 == response.status