Well-Known URIs Explained (RFC 8615)

The /.well-known/ convention (RFC 8615) and the key paths: security.txt, change-password, openid-configuration, acme-challenge, apple-app-site-association, assetlinks.json, ai.txt/llms.txt.

The web has files that every site agrees to place 'in a fixed spot.' So that browsers, search bots, certificate authorities, and operating systems can find certain metadata without guessing, sites place it at a predictable path under the host root. RFC 8615 standardizes this convention, defining paths of the form https://host/.well-known/<name>. Each name is registered in IANA's well-known URI registry.

Why /.well-known/ exists

Suppose a tool wants to know 'where is this site's security contact.' If every site had its own page structure, there'd be no way to find it. Agree instead that 'the security contact always lives at /.well-known/security.txt,' and any site can be queried with a single request to that path. /.well-known/ is that shared mailbox for machine-readable, site-level metadata.

GET /.well-known/security.txt HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Content-Type: text/plain

Contact: mailto:security@example.com
Expires: 2026-12-31T23:59:59.000Z
Preferred-Languages: ko, en
Policy: https://example.com/security-policy

Commonly used well-known paths

Mobile app-association files

Mobile operating systems also link web and app via well-known paths. iOS's /.well-known/apple-app-site-association (AASA, JSON) declares which URLs open in the app (Universal Links). Android's /.well-known/assetlinks.json (Digital Asset Links) verifies the relationship between a domain and an app, enabling App Links and autofill sign-in. Both require the correct Content-Type (usually application/json) and a direct 200 with no redirect — get that wrong and deep links fail silently.

GET /.well-known/assetlinks.json HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Content-Type: application/json

[{"relation":["delegate_permission/common.handle_all_urls"],
  "target":{"namespace":"android_app","package_name":"com.example.app",
           "sha256_cert_fingerprints":["A1:B2:C3:..."]}}]

robots.txt, ai.txt/llms.txt

Some files sit at the root by convention. /robots.txt predates the well-known registry as the crawler-rules file, and it lives at the root rather than under /.well-known/. More recently, informal conventions aimed at AI crawlers and LLMs have appeared, like /ai.txt and /llms.txt. Where robots.txt controls bot access, llms.txt is an attempt to curate key information so an LLM can summarize and understand the site. Note, however, that these are community proposals, not IETF standards yet.

Operational gotchas

Well-known files must usually be public with no authentication, and many (like the app-association files) are sensitive to redirects. When you deploy, verify that (1) the path returns 200 over HTTPS, (2) the Content-Type is correct, and (3) no auth middleware or SPA fallback routing intercepts it. A common failure is a frontend framework that rewrites every path to index.html, so the .well-known file responds as HTML and tools fail to parse it.