diff --git a/server/server.go b/server/server.go
index 4ae85ebb..e684992b 100644
--- a/server/server.go
+++ b/server/server.go
@@ -77,6 +77,8 @@ var (
 	authPathRegex          = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}(,[-_A-Za-z0-9]{1,64})*/auth$`)
 	publishPathRegex       = regexp.MustCompile(`^/[-_A-Za-z0-9]{1,64}/(publish|send|trigger)$`)
 
+	// Note: new paths that should be viewable directly in the browser should be added to web/public/sw.js's navigation fallback denyList as well
+
 	webConfigPath                                        = "/config.js"
 	webManifestPath                                      = "/manifest.webmanifest"
 	webRootHTMLPath                                      = "/app.html"
diff --git a/web/public/sw.js b/web/public/sw.js
index 3d10db2d..4585b38f 100644
--- a/web/public/sw.js
+++ b/web/public/sw.js
@@ -245,10 +245,11 @@ if (!import.meta.env.DEV) {
         // this is so we don't respond to `/` UNLESS it's the app root itself, defined above
         /^\/.+$/,
       ],
-      // only /docs is required so it is navigable in the browser.
-      // the rest are nice-to-haves so the single-page-app doesn't try to handle them, but `fetch`
-      // and browser requests would work anyway.
-      denylist: [/^\/(docs|static|file).*$/, /^\/(app.html|manifest.webmanifest|sw.js|config.js)$/],
+      // only /docs, /file and /v1 are required so they are navigable in the browser (files for clicking on attachments,
+      // v1 for the redirect from Stripe). The rest are nice-to-haves so the single-page-app doesn't try to handle them,
+      // but `fetch` and browser requests would work anyway – they are mainly there so inspecting them is easier than
+      // calling the URLs via curl.
+      denylist: [/^\/(docs|file|v1|metrics|static|_matrix).*$/, /^\/(app.html|manifest.webmanifest|sw.js|config.js)$/],
     })
   );