diff --git a/index.js b/index.js
index 36866e2..1542aac 100644
--- a/index.js
+++ b/index.js
@@ -81,12 +81,12 @@ module.exports = function (root, options) {
     var directory = path === '' || path.slice(-1) === '/'
     if (index && directory) path += 'index.html'
 
+    // hidden file support
+    if (!hidden && isHidden(path)) return
+
     // regular paths can not be absolute
     path = resolve(root, path)
 
-    // hidden file support
-    if (!hidden && leadingDot(path)) return
-
     var file = yield* get(path)
     if (!file) return // 404
 
@@ -245,8 +245,12 @@ function ignoreStatError(err) {
   throw err
 }
 
-function leadingDot(path) {
-  return '.' === basename(path)[0]
+function isHidden(path) {
+  // unescaped version: /[/\].(?!.[/\])/
+  // [\/] matches a path separator, . matches leading dot
+  // while (?!.[/\]) makes sure that something like /../ should not be matched
+  // and is passed to resove-path to get the correct error response
+  return /(^|[\\\/])\.(?!\.[\\\/])/.test(path);
 }
 
 function random() {