Email or username:

Password:

Forgot your password?
Stephen Rees-Carter :laravel:

You may have heard of the /.well-known/ path, and the security.txt file, but there is a new one you should be aware of too:

/.well-known/change-password

It should redirect to your change password form, so password managers can easily send users there.

securinglaravel.com/security-t

8 comments
hanno

@valorin That's been around for a while. I first implemented it for a page I'm responsible for in 2018.

Erik van Straten

@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!

For those interested: internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)

Best practices: internet.nl checks for lawful requirements of Dutch (Netherlands) governmental websites. After more than a year since that law came into effect, still a lot of govt. websites do not fully comply. In particular, many have still not set up HSTS correctly, such as Almere (internet.nl/site/almere.nl/295 - not detected by developer.mozilla.org/en-US/ob).

Unfortunately HSTS (which too often does not work) still has to help internet users, as browsers still do not *enforce* https connections in a sensible way (infosec.exchange/@ErikvanStrat).

(Coen Wesselman @wsslmn : do you like the idea of adding a check for "/.well-known/change-password", and if so, is that something you could ask to be included in the tests by internet.nl?)

#changepassword #change_password #security_txt #websites #website #webserver #SIDN #internet_nl #HSTS #MDN

@valorin : thanks, I wasn't aware of the existence of an RFC for a default change-password file!

For those interested: internet.nl checks any webserver for, among a lot of other things, the existence of the security.txt file (it shows its results in English, you don't have to know what Goudse kaas, stroopwafels and hagelslag mean ;-)

Coen Wesselman

@ErikvanStraten personally I will share this with the @internet_nl project team, and let you know.

Personally this would improve password management for me. Too often the tools struggle with password changes and storing the right information to access an account.

@bartknubben @valorin

Internet.nl

@wsslmn @ErikvanStraten @valorin @bartknubben
Thanks, interesting! This one is also new to us and we haven’t studied it in detail yet. If you like a test for it to be implemented in Internet.nl, please file an issue at github.com/internetstandards/I. However, no guarantees if and when we can pick this up because the roadmap with improvements we are working on is already pretty full. 😅

CatSalad🐈🥗 (D.Burch) :blobcatrainbow:

@valorin @TindrasGrove I propose a new standard to indicate if one of my many, many catsalad accounts are located there (in case I forget)

/.well-known/catsalad

Contents should just contain 🐈🥗

David Peach

@valorin I've never understood what the well-known directory path was for. Maybe I should look into it. Thanks for this.

bob.php :veritrek_gold:

@valorin yeah no thanks i have a massive cron framework just for cleaning up the remnants bad libraries leave behind in .well-known, i absolutely hate it.

Go Up