Site Standards Check
Verify a site publishes security.txt, robots.txt, sitemap.xml, app-linking files, and other well-known disclosure standards.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is the .well-known directory?
RFC 8615 defines /.well-known/ as a standard location for site-level metadata files used by browsers, mobile operating systems, password managers, and security researchers. This tool checks whether your site publishes the files it should.
What is security.txt?
security.txt (RFC 9116) is a standardised file at /.well-known/security.txt that tells security researchers how to report vulnerabilities to you. Without it, researchers who find issues on your site don't know who to contact, and legitimate reports get ignored or lost.
What are Universal Links and App Links?
These are files that let mobile apps intercept web links: apple-app-site-association for iOS Universal Links and Password AutoFill, and assetlinks.json for Android App Links. If you don't have a mobile app, you don't need these — this tool will note their absence without flagging it as an error.
What is /.well-known/change-password?
A W3C standard redirect path that password managers use to send users to your account password-change page when a credential has been flagged as compromised (e.g., after a Have I Been Pwned alert). You simply redirect /.well-known/change-password to your existing change-password URL.
Why check robots.txt and sitemap.xml?
robots.txt controls which parts of your site search engines can crawl. A missing sitemap means crawlers may miss pages. A misconfigured Disallow: / can accidentally de-index your entire site. This tool flags both missing files and common misconfigurations.