Know any well-known URL’s?

I recently came across a blog post that explained how to make 1Password understand where your change password page is located. It referred to something called "well-known" URL's and I was completely unfamiliar with those. So I did a little digging...

There are dozens of well-known URL's

It immediately became obvious that the change password URL is not the only one! According to Wikipedia, there are nearly 50 URL's, all with a different purpose, such as:

  • Security measures (challenges, public keys, etc)
  • Discovery mechanisms (mailserver identification, name of the host, etc)
  • Server timezone / locale info
  • And more...

They even date back more than 10 years ago!

It always starts with .well-known

A well-known URL path always starts with /.well-known/. In essence, it is a way to provide extra, standarized services through a webserver. It reminded me of the Finger command on Linux and guess what: there is a Webfinger URL as well.

The change password technique is quite simple, you simply create a redirect:

/.well-known/change-password => /url-of-your-change-password-page

How about security?

Offering services through your webserver has the advantage of keeping your server's open ports to a minimum. Some experts say that providing standard endpoints makes it easier for hackers to target your server, as they know where to look for vulnerabilities. Then again, hiding these services and relying on security by obscurity isn't the way to go either.

The well-known URL proposal itself mentions the benefit for client-side password management software: it helps improve both the security and usability of websites which require authentication.

It does make your webserver and sites a bigger single point of failure, which would be my concern, though.

Great for UX!

There some great benefits for UX as well. The well-known URL's can direct you to common places you'd expect from a web app. Change password is one thing, perhaps we could follow up with Enable 2FA? Whereas predictability can be a bad thing for security, it can be great for usability.

With more initiatives popping up for well known URL's, I wonder what URL's will be next! In the mean time, why not implement the change password URL...