[NVQXE23I]

You are looking in the wrong place. https://securitytxt.org/ proposes to create a text file called security.txt under the .well-known directory of your project.

So, the URL becomes: https://www.digitaltrustcenter.nl/.well-known/security.txt

This returns a 200 (via 302).

[moffkalast]

Ironically, that information is apparently not well known.

[jl6]

I do get why they standardized it that way, but boy is it ugly.

[archerx]

It's "well known" if you've manually set up SSL certs for a site using certbot. But yea I agree it's a weird choice to put it there instead of the same place as humans.txt, robots.txt and etc.

[xp84]

Iirc “they” decided that all new standards for “specific URLs you may want to serve for a particular purpose” will be under /.well-known. Robots is grandfathered because it’s super old and established and thus crazy to move. There won’t be anymore “at the root” standards.

[_nalply]

Au contraire, it's the other way around. It makes more sense to put favicon.ico, robots.txt and humans.txt in .well-known, but that's life, these files are legacy. (shrugs)

[onlypositive]

I wasn't going to add one but I might actually put one in my root just out of spite.

Devs need to stop demanding other devs jump through pointless hoops.

[withinboredom]

On linux, there is a ~/.config directory, yet devs who think they know everything still pointlessly litter my home directory...

Don't litter your web root either ;)