Must access to the domain-verification file for Apple-Pay at https://[DOMAIN_NAME]/.well-known/apple-developer-merchantid-domain-association be restricted to the Apple Pay IP addresses provided under the Allow Apple IP Addresses for Domain Verification heading of Setting Up Your Server | Apple Developer Documentation - https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server#3172427 or can it be accessed publicly? Asking because ".well-known" is usually meant to be public but, because the domain-verification file is used to validate a domain, should the file not be protected from public access so the file cannot be retrieved with the malicious intent to validate a spoofed domain? Also, the fact the domain-verification file content is not trivial hints its access should be restricted. Thank you!