| ▲ | So You Want to Define a Well-Known URI(mnot.net) |
| 118 points by ingve 9 hours ago | 67 comments |
| |
|
| ▲ | reddalo 8 hours ago | parent | next [-] |
| I wish people would follow this, instead of coming up with new standards in the root namespace. "llms.txt" [1] comes to mind, for example. Let's stop polluting the root of a domain! [1] https://llmstxt.org/ |
| |
| ▲ | rickette 7 hours ago | parent [-] | | LLMs.txt is also nonsense since it isn't adopted by any of the major AI players. | | |
| ▲ | networked 6 hours ago | parent | next [-] | | Google has recently added `llms.txt` to Chrome's Lighthouse check for agentic browsing (https://searchengineland.com/google-llms-txt-chrome-lighthou...), so adoption may be coming. Admittedly, I put more faith in <link rel="alternate" type="text/markdown" href="https://example.com/foo.md" title="Markdown version of the <Foo> page">
that I copied from Gwern.net. This convention is discoverable (just read the HTML) and naturally adapts to any website size and structure.I have created an `llms.txt` for my website anyhow. I use a fixed LLM prompt to generate it from the internal links in `index.md`. | | |
| ▲ | iamacyborg 5 hours ago | parent [-] | | Giving a markdown version of a page seems like an interesting choice instead of just embedding a schema marked up one | | |
| ▲ | chrisweekly an hour ago | parent | next [-] | | It gets even more "interesting" for markdown-based systems like Astro or Obsidian Publish: author in md -> ship html && optionally serve md? | |
| ▲ | vidarh 5 hours ago | parent | prev [-] | | Every page on code.claude.com has a markdown version available by just appending ".md", and Claude Code knows about it. E.g: https://code.claude.com/docs/en/overview and https://code.claude.com/docs/en/overview.md | | |
| ▲ | 9dev 4 hours ago | parent [-] | | After some consideration, I also applied this convention to every site I build - including content negotiation: Clients can either send an Accept header with their preference, or append an explicit extension (.md|.markdown for Markdown, .json for JSON API responses, or .html for the human HTML page). Together with the content negotiation part, it feels very much like HTTP was intended to work - especially the fact that API clients, AI agents, and humans all use the same URLs, but get the content in the shape they need. | | |
| ▲ | vidarh 4 hours ago | parent [-] | | I've done this off and on for various sites over the years too, and probably should be more consistent about it. A number of sites do or used to do some variation of this, and I wish it was more widespread. E.g. Reddit will serve up a json version of a sub-dreddit if you do /r/subreddit.json |
|
|
|
| |
| ▲ | pfannl 2 hours ago | parent | prev | next [-] | | To be fair, "not adopted by any major AI player" is probably the most web-standard-compliant phase of a new web standard. | |
| ▲ | dspillett 5 hours ago | parent | prev [-] | | The same could be said of robots.txt And anything else that might tell them not to access something. | | |
|
|
|
| ▲ | sandblast 7 hours ago | parent | prev | next [-] |
| No, in fact I don't. But this post wouldn't be of any help anyway. It feels like it's about nothing, there is no substance, just stating some obvious facts. Without examples that lead to some real recommendations, this whole expertise claimed by the author is of no use. |
| |
|
| ▲ | 1vuio0pswjnm7 an hour ago | parent | prev | next [-] |
| "This Web site requires a more modern browser to operate securely; please upgrade your browser." Alternative, no SNI required https://web.archive.org/web/20260619061625if_/https://mnot.n... |
| |
| ▲ | 1vuio0pswjnm7 30 minutes ago | parent | next [-] | | The so-called "modern" web browsers send SNI to all websites even when not required For example, Firefox would send SNI to archive.org even though TLS connections to archive.org without sending SNI work just the same Some www users dislike SNI because it defeats the puported purpose of "encrypted DNS". It reveals domain names in plaintext on the wire. For some www users, this does not qualify as "operating securely" SNI benefits CDNs and arguably their customers. But the benefits, if any, to www users may be offset by the costs of sending plaintext domain names I'm selective about sending SNI. I don't send it when it isn't necessary. There are still many sites not using CDNs I accomplish this selectivity by _not_ using a so-called "modern" browser to make remote HTTP requests. I can also force TLSv1.3 by not using the browser to send remote HTP requests Nor do I use DNS lookups when I make remote HTTP requests. I have collected the DNS data in bulk at regular intervals from a variety of sources that I can cross check against each other. This works well for me but might not be appropriate for others Every www user is different Some might like SNI, they might not care about plaintext domain names To each their own | |
| ▲ | xyzzy_plugh an hour ago | parent | prev [-] | | SNI is good, though? I'm curious how you are running into this. |
|
|
| ▲ | inigyou an hour ago | parent | prev | next [-] |
| The consideration about having more than one of them on a domain seems like something that's often overlooked. |
|
| ▲ | momoraul 2 hours ago | parent | prev | next [-] |
| .well-known started tidy and quietly became the junk drawer of the web root. security.txt, ACME, app-site-association, and counting. |
| |
| ▲ | marcosdumay an hour ago | parent | next [-] | | What do you mean? It was explicitly designed to be a junk drawer. | | | |
| ▲ | delichon an hour ago | parent | prev | next [-] | | A junk drawer is an improvement over scattered junk. | | | |
| ▲ | inigyou an hour ago | parent | prev [-] | | Isn't that the point though? Keeping all the junk in a drawer labeled as junk, instead of keeping it on the kitchen counter? |
|
|
| ▲ | jvuygbbkuurx 8 hours ago | parent | prev | next [-] |
| Why are they so specific? Why password-reset instead of a more generic link tree? Why discord domain verification instead of domain-verifications with a dynamic list on entries? Seems like a waste of time. I would just define my own spec outside of well known for my use case. |
| |
| ▲ | reddalo 8 hours ago | parent | next [-] | | Your own spec wouldn't be used by anyone else. The password-reset well-known endpoint is used by password managers to show a "Change password..." button in their interface, which magically links to the password change page described in that well-known file. | | |
| ▲ | jvuygbbkuurx 8 hours ago | parent [-] | | If the website implements it. What about email preferences? Removing account links? There are many use-cases you might want to redirect a user to, but having to make their own well known for it seems dumb instead of using a more generic one. I guess the more flexible it is, the harder adoption becomes as the usage within a spec might diverge, or it grows outside of the spec and becomes unofficial. So maybe password-reset is correct level of specification. Anyway discord domain verification can tell in their onboarding docs to put it anywhere. It being well known does nothing. If there was a root level domain verification, then you might as well put it under that. But otherwise why go through a process? | | |
| ▲ | notpushkin 7 hours ago | parent [-] | | It’s just easier for everybody to implement. Password manager opens https://<some-website>/.well-known/change-password in the user’s browser, it gets redirected to the actual page where password change form is located. You could make the password manager look it up in a link tree and then open a correct page, yes, but... > I guess the more flexible it is, the harder adoption becomes Yeah. If there is one account management related URL that password managers care about, it’s the change password page. You don’t really need to change email on your account that often, but it is probably a good idea to rotate your password once in a while. So I guess it’s a good idea to make it as easy as possible to adopt – which means just a single URL redirecting to another. > If the website implements it. That’s a good catch, though. I guess right now password managers would still have to make a “preflight” request just to see if /.well-known/change-password is implemented before showing it to the user. (But that can go away if most websites adopt it.) | | |
| ▲ | masklinn 6 hours ago | parent [-] | | > That’s a good catch, though. I guess right now password managers would still have to make a “preflight” request just to see if /.well-known/change-password is implemented before showing it to the user. (But that can go away if most websites adopt it.) It’s not really a catch? Like robots.txt it’s just something you probe if you have the capabilities to use it. You can just cache the info afterwards. |
|
|
| |
| ▲ | arcfour 7 hours ago | parent | prev | next [-] | | > Why discord domain verification instead of domain-verifications with a dynamic list on entries? The TXT record itself is already a dynamic list of entries. It's far simpler and easier to iterate through the list and compare the start of each value with your search string until you find "discord domain verification" directly than it would be to do anything else. Example: ;; ANSWER SECTION:
ycombinator.com. 300 IN TXT "openai-domain-verification=dv-QbhxxK0G0JK0dnyZ4YTsNAfw"
ycombinator.com. 300 IN TXT "v=spf1 include:_spf.google.com include:mailgun.org a:rsweb1-36.investorflow.com include:_spf.createsend.com include:servers.mcsv.net -all"
ycombinator.com. 300 IN TXT "MS=ms37374900"
ycombinator.com. 300 IN TXT "anthropic-domain-verification-0qe2ww=yK576oHdDgyTcXgkPfj1KXgGt"
ycombinator.com. 300 IN TXT "ZOOM_verify_2ndw8KZxSRa8PT8NmdyXvw"
ycombinator.com. 300 IN TXT "google-site-verification=KsI69Y_jEVkp4eXqSQ9R9gwxjIpZznvuvrus6UolB9Y"
ycombinator.com. 300 IN TXT "ca3-4861b957e83847c188e45d04ec314ee3"
ycombinator.com. 300 IN TXT "apple-domain-verification=WG0sP5Alm7N6h1Te"
ycombinator.com. 300 IN TXT "dropbox-domain-verification=asc63coma4mv"
ycombinator.com. 300 IN TXT "google-site-verification=GJKdQskycEclAGPua3yXB9m_nVhxbrsVps_y-t9SXV0"
ycombinator.com. 300 IN TXT "Wayback verify for support request 741082"
ycombinator.com. 300 IN TXT "google-site-verification=rivq8jKu6AADGtbbEzJhmOpcqq08B7QxIzXxYV8DtyU"
ycombinator.com. 300 IN TXT "rippling-domain-verification=a660f7a4ab77a3de"
| | |
| ▲ | teddyh 4 hours ago | parent | next [-] | | Having all those TXT records at the domain apex like that makes the TXT query reply huge, which affects, for instance, every mail recipient who merely wants to check the SPF record. This is a bad pattern to follow. | | |
| ▲ | Bender 21 minutes ago | parent | next [-] | | The domains with large numbers of TXT records are also used in DNS DDoS amplification attacks. Spoofed UDP requests to domains that have a large number of TXT records are used to slam other sites. In the past I would transparently strip the TXT records when I ran public DNS recursive resolvers nobody noticed except the botters but some here may be activated. Some domains with a lot of dangling records: for i in $(echo "ycombinator.com 500px.com box.com ebay.com google.com hm.com lenovo.com nordstrom.com realtor.com tmz.com wired.com");do dig +short +nocookie -t TXT "${i}";echo;done
In unbound.conf: local-zone: ycombinator.com typetransparent
local-data: 'ycombinator.com. TXT "[ddos redacted]"'
after the changes: dig +short +nocookie -t txt ycombinator.com
"[ddos redacted]"
| |
| ▲ | inigyou an hour ago | parent | prev [-] | | The better pattern is to use an underscore prefix like _discord-verification.domain.com If your site allows user-created subdomains it shouldn't allow leading underscore. This is reserved somehow. |
| |
| ▲ | bombcar 4 hours ago | parent | prev | next [-] | | Domain verifications leak information that they shouldn't - it should be "random key.domain.com in TXT randomkey" | |
| ▲ | sandblast 7 hours ago | parent | prev [-] | | "Domain-verifications" is an invitation for everyone else that might need it to use the same standard and convention. "Discord-domain-verification" is not, it's what feels like polluting the global namespace with the company name that might cease to exist in a few years. At the very least, it should be "domain-verification-discord", "-google" and so on. Maybe even "-com.discord", "-com.google"? And the first part clearly standardized and registered, instead of one entity using "domain" and another one "site". | | |
| ▲ | arcfour 7 hours ago | parent [-] | | Why? | | |
| ▲ | zamadatix 5 hours ago | parent [-] | | Why reinvent the wheel differently 50,000 times instead? I'll usually even prefer a badly designed, but standard, format/encoding over a NIH one from each company - it's just less friction in the end. Heck - include a common format for the value too, then it opens up doors to automating generation with new sites & automatically validating this config for any site following the common format. |
|
|
| |
| ▲ | notpushkin 7 hours ago | parent | prev [-] | | > discord domain verification That’s on Discord. They’re not in the registry: https://www.iana.org/assignments/well-known-uris/well-known-... > Why password-reset instead of a more generic link tree? [edit: answered in more detail in a sibling thread https://news.ycombinator.com/item?id=48596286] |
|
|
| ▲ | jiggunjer 4 hours ago | parent | prev | next [-] |
| Title says uri but post only about urls, a type of uri |
|
| ▲ | einpoklum 8 hours ago | parent | prev | next [-] |
| How well-known are those URIs though? :-\ |
| |
| ▲ | Joker_vD 23 minutes ago | parent | next [-] | | Slightly less well-known than XDG directories among the developers of Linux-targeted software, it would seem. Seriously, what an oxymoronic name. "/index.html" is a well known URL, literally: most of web-developers are aware of it. But inventing a bunch of URLs with predefined semantics and then slapping the "well-known" label on it... well, it won't magically make them actually well-known. | |
| ▲ | eschatology 7 hours ago | parent | prev | next [-] | | I spent 10 minutes searching for one in the article, in the RFC, in the wikipedia page, on google, to search for a .well-known example. Couldn't find one. I did read one before while working with github oidc, and I did find it very useful. What is it with technical documentations that go deep describing what it is in plenty words but refusing to give a single example? This far from the first case I've ran into either. | | |
| ▲ | deathanatos 32 minutes ago | parent | next [-] | | > I spent 10 minutes searching for one in the article, in the RFC, in the wikipedia page, on google, to search for a .well-known example. Couldn't find one. I don't know how that can be, since you claim to have found the RFC; the RFC straight-forwardly states, > 5. IANA Considerations > This specification updates the registration procedures for the "Well-Known URI" registry, first defined in [RFC5785]; see Section 3.1. & then of course directs IANA to establish a registry. We'd expect this section, given the very nature of the RFC is that it establishes a collection of things, so that there is an IANA considerations section should be wholly unsurprising… If you see the linked section… > The "Well-Known URIs" registry is located at <https://www.iana.org/assignments/well-known-uris/>. And there's a link to a listing of every standardized .well-known URI there is. > What is it with technical documentations that go deep describing what it is in plenty words but refusing to give a single example? The RFC provides an example in the form of "example", but also in the form of "robots.txt" (as a "it could have used this, had this existed", but what else could it have done?). | |
| ▲ | hahajk 3 hours ago | parent | prev [-] | | I've been setting up some federated servers (Matrix, activitypub) and I ran into .well_known/ paths in many of them. Webfinger resolver for activitypub and a more custom matrix server-to-server federation endpoint. |
| |
| ▲ | reddalo 7 hours ago | parent | prev | next [-] | | There's an interesting list on Wikipedia: https://en.wikipedia.org/wiki/Well-known_URI#List_of_well-kn... | | |
| ▲ | eschatology 7 hours ago | parent [-] | | Not one of them links to the actual well-known resource, only pdf specifications. And several I picked randomly leads to dead ends. Here's one I could find:
https://accounts.google.com/.well-known/openid-configuration But how does one even find this? | | |
| ▲ | masklinn 7 hours ago | parent [-] | | well-known is for programmatic access, it either namespaces something you’re told to look for (e.g. various types of domain markers) or it lets you discover a feature / endpoint. In the latter case you just probe, for instance if you’re a password manager and you have a password for site A you hit A/.well-known/change-password and if they returns something you can surface a change password link to your user. The one you found is for OIDC provider discovery (https://openid.net/specs/openid-connect-discovery-1_0.html#P...) so someone tells you they want to log in via Google, you hit that endpoint, and it lets you setup Google as an oidc provider rather without needing to hard-code providers. Even if you just want to support Google as a provider, you hit that and you get the entire configuration rather than have to hunt down the same information in the docs. | | |
| ▲ | eschatology 6 hours ago | parent [-] | | Thank you, that it is part of OIDC provider discovery spec explains a lot. That said, I still find it very bizzare that it's so hard to find a tangible example to see how it is in practice. The rfc has none. Another spec including the use of it has none. In the end only completed service provider/implementers show it. Before programmatic access happens, it needs to be written by a human. Yet the whole thing feels so human-unfriendly. Perhaps I am biased robots.txt sets a high bar on how easy it is to find and work with? | | |
| ▲ | masklinn 6 hours ago | parent [-] | | What RFC? The oidc discovery spec has an example, and for change-password it’s just a redirect. RFC 8615 is about the existence and management of the .well-know namespace, so examples don’t really make sense. | | |
|
|
|
| |
| ▲ | ano-ther 7 hours ago | parent | prev | next [-] | | They are collected at this registry: https://www.iana.org/assignments/well-known-uris/well-known-... | |
| ▲ | timwis 8 hours ago | parent | prev [-] | | I agree. I was hoping for a few positive examples, but didn't see any. The only one I know of is the OIDC discovery endpoint. | | |
| ▲ | asdfasdfadsfs 7 hours ago | parent | next [-] | | I would say acme-challenge is one of the most used ones. How else would one get SSL certificates today | | |
| ▲ | echoangle 7 hours ago | parent [-] | | DNS TXT challenge for example. Also better because you can get wildcard certs. | | |
| ▲ | sureglymop 3 hours ago | parent [-] | | Also, DNS-PERSIST-01 seems to be coming soon for Let's Encrypt, which should allow even people that can't easily dynamically update their DNS records to get wildcard certs. I assume this might become more widely used than HTTP-01 challenges. | | |
| ▲ | inigyou an hour ago | parent [-] | | I wish someone would write a blog post about the difference between DNS registrars and DNS hosts, because I've seen people assume they need to use a registrar that has an API in order to change their DNS records programmatically. I used to assume that too. |
|
|
| |
| ▲ | pstoev 6 hours ago | parent | prev [-] | | Another one that is emerging is the A2A agent card https://a2a-protocol.org/latest/topics/agent-discovery/#1-we... |
|
|
|
| ▲ | user3939382 3 hours ago | parent | prev | next [-] |
| I wish we had one for navigation layout of a site so browser chrome could render that in a consistent way. It would also be a boon for a11y. |
|
| ▲ | philipwhiuk 6 hours ago | parent | prev [-] |
| I'm not sure I like `https://domain.com/.well-known/robots.txt` any better frankly |
| |
| ▲ | russellbeattie 6 hours ago | parent [-] | | Whoever decided it would be a good idea for ".well-known" to be a "hidden" directory is a complete fool. All it does is provide the opportunity for confusion, misconfiguration, skipped backups, missed git check-ins, forgotten updates and more. Literally the only people a folder like that is hidden from is the whoever is managing the web server. Sure, if everyone knows what they're doing, it's not a problem. But we all know how long that assumption lasts. | | |
| ▲ | zamadatix 5 hours ago | parent | next [-] | | I think the blog author is the one who wrote the original RFC. To be fair to him, there once was a time web servers were more commonly thought of as truly being remote directories of files you can view or link to, not just domains the browser hides the rest of, and dotfiles would commonly act like dotfiles in local file listings. Nowadays, the assumption is if you go to the base URL it should only ever serve the default page and if you try to go to a directory it should throw an error. Well, unless you're one of those ancient sites like https://ftp.mozilla.org/ I'm not saying it's good or bad how things turned it, but the choice of a dotfile for this sure did not pan out well as the web went the exact opposite direction it would have been relevant in. | |
| ▲ | 9dev 4 hours ago | parent | prev | next [-] | | The main point of consideration here probably was how to avoid conflicts with URLs of existing sites, not exactly people who aren't able to serve an endpoint with a dot within its path... | |
| ▲ | marcosdumay an hour ago | parent | prev [-] | | TBF, those people are already hit with problems on their apache configuration and fixed their tooling long before the lack of .well-known gives them any problem. |
|
|
