Respond with 404 for forbidden assets

[sevab]

There are a number of internal files in the dist directory that are currently publicly exposed by the fastboot server (e.g. dist/package.json, dist/node_modules/*, etc).

Don't think there are any security concerns with these files being exposed, just not the expected behavior of the server and not particularly elegant.

This commit returns a 404 when a client requests any of the forbidden assets.