diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index 56691112..4029feda 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -91,6 +91,35 @@ fd00::/8 \
 	}
 	log_skip @healthcheckpath
 
+    # Define specific endpoint under .well-known/
+    # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
+    # https://en.wikipedia.org/wiki/Well-known_URI
+    @wellknown-allowed {
+        # ACME
+        path /.well-known/acme-challenge/*
+
+        # Security & identity
+        path /.well-known/security.txt
+
+        # OAuth / OpenID
+        path /.well-known/openid-configuration
+        path /.well-known/oauth-authorization-server
+
+        # Mobile / platform verification
+        # https://developer.apple.com/documentation/xcode/supporting-associated-domains
+        path /.well-known/assetlinks.json
+        path /.well-known/apple-app-site-association
+        path /.well-known/apple-developer-merchantid-domain-association
+    }
+
+    handle @wellknown-allowed {
+        file_server
+    }
+
+    # Block everything else under .well-known
+    @wellknown-blocked path /.well-known/*
+    respond @wellknown-blocked 403
+
 	php_server {
 		{$CADDY_PHP_SERVER_OPTIONS}
 	}
@@ -127,8 +156,12 @@ fd00::/8 \
 }
 
 (security) {
-	# Reject dot files and certain file extensions
-	@rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
+	# Reject dot files and certain file extensions, excluding .well-known/
+	@rejected {
+	  path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.*
+      # .well-known needs to be whitelisted, further handling in php-app-common
+      not path /.well-known/*
+    }
 
 	# Return 403 Forbidden for rejected files
 	respond @rejected 403