Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You are looking in the wrong place. https://securitytxt.org/ proposes to create a text file called security.txt under the .well-known directory of your project.

So, the URL becomes: https://www.digitaltrustcenter.nl/.well-known/security.txt

This returns a 200 (via 302).



Ironically, that information is apparently not well known.


I do get why they standardized it that way, but boy is it ugly.


It's "well known" if you've manually set up SSL certs for a site using certbot. But yea I agree it's a weird choice to put it there instead of the same place as humans.txt, robots.txt and etc.


Iirc “they” decided that all new standards for “specific URLs you may want to serve for a particular purpose” will be under /.well-known. Robots is grandfathered because it’s super old and established and thus crazy to move. There won’t be anymore “at the root” standards.


Au contraire, it's the other way around. It makes more sense to put favicon.ico, robots.txt and humans.txt in .well-known, but that's life, these files are legacy. (shrugs)


I wasn't going to add one but I might actually put one in my root just out of spite.

Devs need to stop demanding other devs jump through pointless hoops.


On linux, there is a ~/.config directory, yet devs who think they know everything still pointlessly litter my home directory...

Don't litter your web root either ;)




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: