Email or username:

Password:

Forgot your password?
Stephen Rees-Carter :laravel:'s posts Post Back to profile
Stephen Rees-Carter :laravel:

You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:

/.well-known/change-password

It should redirect to your change password form, so password managers can easily send users there.

securinglaravel.com/security-t

17 September at 11:05 | Open on phpc.social
8 comments
hanno

@valorin That's been around for a while. I first implemented it for a page I'm responsible for in 2018.

17 September at 12:11 | Open on mastodon.social
mkj
Erik van Straten

@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!

For those interested: internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)

Best practices: internet.nl checks for lawful requirements of Dutch (Netherlands) governmental websites. After more than a year since that law came into effect, still a lot of govt. websites do not fully comply. In particular, many have still not set up HSTS correctly, such as Almere (internet.nl/site/almere.nl/295 - not detected by developer.mozilla.org/en-US/ob).

Unfortunately HSTS (which too often does not work) still has to help internet users, as browsers still do not *enforce* https connections in a sensible way (infosec.exchange/@ErikvanStrat).

(Coen Wesselman @wsslmn : do you like the idea of adding a check for "/.well-known/change-password", and if so, is that something you could ask to be included in the tests by internet.nl?)

#changepassword #change_password #security_txt #websites #website #webserver #SIDN #internet_nl #HSTS #MDN

@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!

For those interested: internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)

17 September at 15:03 | Open on infosec.exchange
Coen Wesselman

@ErikvanStraten personally I will share this with the @internet_nl project team, and let you know.

Personally this would improve password management for me. Too often the tools struggle with password changes and storing the right information to access an account.

@bartknubben @valorin

17 September at 15:12 | Open on mastodon.nl
Internet.nl

@wsslmn @ErikvanStraten @valorin @bartknubben
Thanks, interesting! This one is also new to us and we haven’t studied it in detail yet. If you like a test for it to be implemented in Internet.nl, please file an issue at github.com/internetstandards/I. However, no guarantees if and when we can pick this up because the roadmap with improvements we are working on is already pretty full. 😅

17 September at 17:36 | Open on mastodon.nl
CatSalad🐈🥗 (D.Burch) :blobcatrainbow:

@valorin @TindrasGrove I propose a new standard to indicate if one of my many, many catsalad accounts are located there (in case I forget)

/.well-known/catsalad

Contents should just contain 🐈🥗

17 September at 20:26 | Open on infosec.exchange
David Peach

@valorin I've never understood what the well-known directory path was for. Maybe I should look into it. Thanks for this.

17 September at 21:30 | Open on phpc.social
bob.php :veritrek_gold:

@valorin yeah no thanks i have a massive cron framework just for cleaning up the remnants bad libraries leave behind in .well-known, i absolutely hate it.

17 September at 23:03 | Open on phpc.social
Go Up