diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go
index 3bebde00..9aa04c97 100644
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@@ -12903,6 +12903,18 @@ func TestDefender(t *testing.T) {
 	rr = executeRequest(req)
 	checkResponseCode(t, http.StatusForbidden, rr)
 	assert.Contains(t, rr.Body.String(), "your IP address is blocked")
+	// requests for static files should be always allowed
+	req, err = http.NewRequest(http.MethodGet, "/static/favicon.ico", nil)
+	assert.NoError(t, err)
+	req.RemoteAddr = remoteAddr
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusOK, rr)
+
+	req, err = http.NewRequest(http.MethodGet, "/.well-known/acme-challenge/foo", nil)
+	assert.NoError(t, err)
+	req.RemoteAddr = remoteAddr
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusNotFound, rr)
 
 	_, err = httpdtest.RemoveUser(user, http.StatusOK)
 	assert.NoError(t, err)
diff --git a/internal/httpd/server.go b/internal/httpd/server.go
index 6dcb0195..66ff6b69 100644
--- a/internal/httpd/server.go
+++ b/internal/httpd/server.go
@@ -1231,6 +1231,17 @@ func (s *httpdServer) mustStripSlash(r *http.Request) bool {
 		!strings.HasPrefix(urlPath, webStaticFilesPath) && !strings.HasPrefix(urlPath, acmeChallengeURI)
 }
 
+func (s *httpdServer) mustCheckPath(r *http.Request) bool {
+	var urlPath string
+	rctx := chi.RouteContext(r.Context())
+	if rctx != nil && rctx.RoutePath != "" {
+		urlPath = rctx.RoutePath
+	} else {
+		urlPath = r.URL.Path
+	}
+	return !strings.HasPrefix(urlPath, webStaticFilesPath) && !strings.HasPrefix(urlPath, acmeChallengeURI)
+}
+
 func (s *httpdServer) initializeRouter() {
 	var hasHTTPSRedirect bool
 	s.tokenAuth = jwtauth.New(jwa.HS256.String(), getSigningKey(s.signingPassphrase), nil)
@@ -1240,7 +1251,7 @@ func (s *httpdServer) initializeRouter() {
 	s.router.Use(s.parseHeaders)
 	s.router.Use(logger.NewStructuredLogger(logger.GetLogger()))
 	s.router.Use(middleware.Recoverer)
-	s.router.Use(s.checkConnection)
+	s.router.Use(middleware.Maybe(s.checkConnection, s.mustCheckPath))
 	if s.binding.Security.Enabled {
 		secureMiddleware := secure.New(secure.Options{
 			AllowedHosts:            s.binding.Security.AllowedHosts,