diff --git a/frontend/src/hooks.server.test.ts b/frontend/src/hooks.server.test.ts
index f56eadd..d1b16b6 100644
--- a/frontend/src/hooks.server.test.ts
+++ b/frontend/src/hooks.server.test.ts
@@ -39,6 +39,15 @@ describe('auth guard (hooks.server.ts handle)', () => {
 		expect(resolve).toHaveBeenCalledWith(event);
 	});
 
+	it.each(['/_app/immutable/chunks/app.js', '/favicon.ico'])(
+		'allows static asset %s without auth',
+		async (path) => {
+			const { event, resolve } = createEvent(path);
+			await handle({ event, resolve });
+			expect(resolve).toHaveBeenCalledWith(event);
+		}
+	);
+
 	it('redirects unauthenticated requests on protected routes', async () => {
 		const { event, resolve } = createEvent('/planner');
 		try {
diff --git a/frontend/src/hooks.server.ts b/frontend/src/hooks.server.ts
index 4a690a1..6579fbc 100644
--- a/frontend/src/hooks.server.ts
+++ b/frontend/src/hooks.server.ts
@@ -4,7 +4,12 @@ import { apiClient } from '$lib/server/api';
 
 const PUBLIC_ROUTES = ['/login', '/register', '/invite'];
 
+const STATIC_PREFIXES = ['/_app/', '/favicon'];
+
 function isPublicRoute(pathname: string): boolean {
+	if (STATIC_PREFIXES.some((prefix) => pathname.startsWith(prefix))) {
+		return true;
+	}
 	return PUBLIC_ROUTES.some((route) => pathname === route || pathname.startsWith(route + '/'));
 }