Must access to the domain-verification file for Apple-Pay at
be restricted to the Apple Pay IP addresses provided under the Allow Apple IP Addresses for Domain Verification heading of Setting Up Your Server | Apple Developer Documentation or can it be accessed publicly?
Asking because ".well-known" is usually meant to be public but, because the domain-verification file is used to validate a domain, should the file not be protected from public access so the file cannot be retrieved with the malicious intent to validate a spoofed domain?
Also, the fact the domain-verification file content is not trivial hints its access should be restricted.
Thank you!
Code Block https://[DOMAIN_NAME]/.well-known/apple-developer-merchantid-domain-association
be restricted to the Apple Pay IP addresses provided under the Allow Apple IP Addresses for Domain Verification heading of Setting Up Your Server | Apple Developer Documentation or can it be accessed publicly?
Asking because ".well-known" is usually meant to be public but, because the domain-verification file is used to validate a domain, should the file not be protected from public access so the file cannot be retrieved with the malicious intent to validate a spoofed domain?
Also, the fact the domain-verification file content is not trivial hints its access should be restricted.
Thank you!
