This is a 7.x backport of the parent issue.
Drupal should support RFC 5785, which establishes a .well-known URI location: https://tools.ietf.org/html/rfc5785
These URIs are registered with IANA: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
This patch whitelists the .well-known directory in Drupal's .htaccess directive which blocks access to all hidden directories.
Nginx users can allow the .well-known directory like this (above the general line to block hidden directories and other stuff):