Hello,
Is it possible to disable the browser check mechanism for /.well-known/acme-challenge/* URLs? These addresses are used by the Let's Encrypt domain verification bot, which obviously would not solve the js/cookie challenge. To prevent potential abuse, the exemption could only be granted for static plaintext files under 200 bytes and/or rate-limited.