justified usecase for access with files in a folder starting with a dot

[davidnuescheler]

I think that the 403 from static is accurate, if inconvenient and scary to the visitor. But come on, what should a visitor expect that is trying to sniff around in our .env files?
Originally posted by @trieloff in #218 (comment)

i just realized that apple pay requires access to a .well-known folder for domain verification.

https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment#3179140

i am not sure what would be the best way forward on this, any ideas? this may or may not be the only place where this happens, so i wonder if we should revisit the blacklisting of all . folder and be more selective or if we should white-list things selectively over the . blacklist.

[trieloff]

.well_known should get special treatment.

[davidnuescheler]

this one still doesn't seem to work, i don't know exactly why, possibly because the apple pay verification file doesn't have an extension...

[trieloff]

Yes, that's the likely reason. We can fix it in helix-dispatch with another request.