What is the purpose of the .well-known/change-password URL?

The .well-known directory is a web convention (introduced by the IETF) that defines a standard location for hosting metadata or official policies on a site.

One of the applications of this convention is the /.well-known/change-password URL. Its purpose is simple: to systematically redirect the user to your site's password change page.

This notably allows browsers and password managers (like those from Google, Apple, etc.) to offer a direct link to update a potentially compromised password, without the user having to search for the right page.

What are the benefits?

Setting up a .well-known/change-password URL offers several important benefits:

  • Simplified user experience: Instead of searching for the right page, users (and their password managers) have a single, predictable address. This is a significant time saver, especially when updating many accounts.
  • Enhanced security: By offering an official and recognizable URL, you reduce the risk of your users being tricked by phishing attacks that would imitate your page.
  • Interoperability and standardization: You adopt a consistent approach, recognized by the web ecosystem. This promotes the integration of your site with security tools and browsers.

Is this relevant for my site?

If your website has a private area where users can manage their password, then yes, it is likely that your website should support the .well-known/change-password URL. It's a good practice that improves security and your users' experience without any drawbacks.

Who uses such .well-known/change-password URLs?

The main players on the web have already implemented the .well-known/change-password redirect:

Screenshots

Enhance password change security with a ".well-known/change-password" URL
Enhance password change security with a ".well-known/change-password" URL

How to install this recipe on my website with redirection.io?

Installing this recipe on your website requires the following steps:

  1. Navigate to the change password pageOn your website, locate the users account page where they can change their password. Of course, accessing this page requires users to authenticate first
  2. copy the complete URL of the change password pageCopy the complete URL of this page
  3. Paste this URL in the recipe configuration
  4. Click on the install button: this will create a new rule in "draft" mode, so you can edit it if necessary
  5. Publish the rules: a few seconds after the publication, the .well-known/change-password will be active

Discover our recipes to improve your website's quality in one click

redirection.io's recipes are a powerful feature designed to simplify the implementation of front-end quality best practices for your websites. Think of them as a curated "app store" for your site, offering a variety of pre-configured solutions that can be installed with a single click.

Discover all redirection.io recipes