diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md
index afb2d5d2..e6a174ac 100644
--- a/actix-files/CHANGES.md
+++ b/actix-files/CHANGES.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Minimum supported Rust version (MSRV) is now 1.75.
+- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.
 
 ## 0.6.6
 
diff --git a/actix-files/src/path_buf.rs b/actix-files/src/path_buf.rs
index c1983279..50b9677e 100644
--- a/actix-files/src/path_buf.rs
+++ b/actix-files/src/path_buf.rs
@@ -40,11 +40,12 @@ impl PathBufWrap {
             return Err(UriSegmentError::BadChar('/'));
         }
 
+        // disallow invalid or suspicious path segments
         for segment in path.split('/') {
             if segment == ".." {
                 segment_count -= 1;
                 buf.pop();
-            } else if !hidden_files && segment.starts_with('.') {
+            } else if segment != ".well-known" && !hidden_files && segment.starts_with('.') {
                 return Err(UriSegmentError::BadStart('.'));
             } else if segment.starts_with('*') {
                 return Err(UriSegmentError::BadStart('*'));
@@ -105,6 +106,10 @@ mod tests {
             PathBufWrap::from_str("/test/.tt").map(|t| t.0),
             Err(UriSegmentError::BadStart('.'))
         );
+        assert_eq!(
+            PathBufWrap::from_str("/.well-known/test/.tt").map(|t| t.0),
+            Err(UriSegmentError::BadStart('.'))
+        );
         assert_eq!(
             PathBufWrap::from_str("/test/*tt").map(|t| t.0),
             Err(UriSegmentError::BadStart('*'))
@@ -144,6 +149,33 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_parse_well_known() {
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/.tt", false).map(|t| t.0),
+            Err(UriSegmentError::BadStart('.'))
+        );
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/foo", false)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", "foo"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/.tt", true)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", ".tt"])
+        );
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/foo", true)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", "foo"])
+        );
+    }
+
     #[test]
     fn path_traversal() {
         assert_eq!(
diff --git a/actix-web/CHANGES.md b/actix-web/CHANGES.md
index 394a8c93..eca24d60 100644
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@@ -21,6 +21,7 @@
 - On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use.
 - Update `brotli` dependency to `7`.
 - Minimum supported Rust version (MSRV) is now 1.75.
+- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.
 
 ## 4.9.0