# The .well-known Directory Audit — Probe 13 Files, Fix the Gaps Audit /.well-known/ for the files that matter in 2026 — security.txt, agent-card.json, ai-plugin.json, change-password, webfinger — and generate copy-paste replacements for anything missing. Author: J.A. Watte Published: April 20, 2026 Source: https://jwatte.com/blog/blog-tool-well-known-audit/ --- Most sites expose two files from `/.well-known/`. Maybe `security.txt` and, if someone configured ACME, a certbot artifact. That's it. The other eleven things that can live there. All standards-defined, all useful in 2026. Don't get served because nobody remembered them at build time. The [.well-known Directory Audit](/tools/well-known-audit/) probes every standard path in parallel, validates what's served, and generates files for what isn't. You paste a URL, you get back a coverage score and a copy-paste fix kit. ## What it actually checks The script fetches thirteen paths. The standards-mandated ones under `/.well-known/`: - `security.txt`. RFC 9116. Validates that `Contact:` and `Expires:` fields are present. If not, you have a file but it's not compliant. - `agent-card.json`. The AI agent protocol handshake. AI models now check for this before scraping. - `ai-plugin.json`. ChatGPT-plugin / AI-service manifest. Matters if you expose an API. - `change-password`. The W3C redirect that tells password managers where to send users clicking "change compromised password." - `webfinger`. Federated identity discovery. If you're on Mastodon or Bluesky and want to be verifiably you, this is the bridge. - `host-meta`, `assetlinks.json`, `apple-app-site-association`, `openid-configuration`, `nodeinfo`. App-to-web links, OpenID discovery, federated metadata. Plus three root-level companions that sit alongside: `robots.txt`, `humans.txt`, `ads.txt`. ## The fix kit When a file is missing, the tool generates a replacement with your host, name, and today's date already substituted in. `security.txt` comes pre-signed with a 365-day Expires. `agent-card.json` ships with `no-auth` as the default and your hostname plugged into the chat endpoint. `change-password` arrives as the Netlify `_redirects` line *and* the Apache `.htaccess` equivalent. You can copy each one to clipboard or download it as the real file. For the hosting-config step, the generated LLM prompt asks Claude for the `_headers` / `.htaccess` / Nginx snippet to serve each file with the correct `Content-Type`. ## Why this is suddenly load-bearing Three things shifted in the last year. **AI agents discover via protocol.** When a Claude skill or a Perplexity tool hits your domain, the first request is `/.well-known/agent-card.json`. No card, no clean surface. The model falls back to web-scraping your HTML and misses half your API. **Password managers honor `change-password`.** Safari and 1Password route "change this leaked password" directly to `/.well-known/change-password`. Without the redirect, users land on your homepage, can't find the change flow, and give up. That's churn you don't need. **Security researchers expect `security.txt`.** Responsible disclosure starts with a curl. No file means reports go through `contact@` or. Worse. Get posted publicly because the researcher couldn't reach you privately. ## Where this pairs with the other tools The [Mega Analyzer](/tools/mega-analyzer/) touches one or two `.well-known` files as part of a broader audit. This tool covers the full standard-defined set and generates fixes. Run both. The Mega Analyzer tells you the big-picture score; this tells you which identity files are still missing. For the methodology, Chapter 4 of [The $20 Dollar Agency](https://the20dollaragency.com/). *Technical SEO Files*. Is the reference. Chapter 8 of [The $100 Network](https://the100dollarnetwork.com/). *Underused Platform Features That Replace Paid Tools*. Shows how to serve all of these from a Cloudflare Worker instead of paying an identity SaaS. --- Canonical HTML: https://jwatte.com/blog/blog-tool-well-known-audit/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-tool-well-known-audit.webp