.well-known validator

Per RFC 8615

Consistency check across security.txt, robots.txt, MTA-STS and friends.

What is this, and when do I need it?

What is this?

The /.well-known/ path is a standardised place on your web server (RFC 8615) where machines look for expected config and metadata files. Examples: security.txt, mta-sts.txt, openid-configuration, apple-app-site-association.

This tool takes a domain and checks the usual list of well-known paths - which are reachable, which are missing, which respond with a wrong content type or a redirect.

When do I need it?

As an audit tool before pushing a domain into production, or as a sanity check after a migration. Also handy when you want to see which paths your competitors or vendors already serve - it tells you something about their respective security maturity.

Server path: this tool does NOT run browser-local. We fetch the .well-known paths via our server (browsers cannot do CORS-free fetches against foreign domains). We do not log the queried domain or the results. 6 requests per minute per IP.