Add support for custom .well-known files

It's currently impossible to add custom files to a ".well-known" directory in the root of a website. We need to be able to create arbitrary files in this directory to support various site verification and configuration needs.


For example the .well-known/com.apple.remotemanagement, required by Apple to enable user device enrolments: https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow


But many other examples exists, including security.txt: https://securitytxt.org/

  • Webflow User
  • May 8 2024
  • Shipped
  • Dec 17, 2024

    Admin response

    We recently expanded which well-known files are supported in Webflow and how they're managed. See update →

  • Yves Sinka commented
    December 29, 2024 10:00

    I agree with the other comments. Please reconsider this.

  • Christopher Skaletz commented
    December 28, 2024 13:28

    I agree with the below comment. A basic feature like that is available with most website hosting services and should be available for all paid plans. It seems a little money hungry to lock this behind Business and up. Not all users requiring this feature use it for app development and such, and consequently have a smaller budget.

  • Dominik Sigl commented
    December 18, 2024 15:57

    Thanks for implementing this - however hiding it behind the business subscription I personally find hilarious. This is nothing fancy but a basic feature every responsible website hosting service should support.

  • Vaughan Shanks commented
    October 22, 2024 09:27

    Recent development: https://www.cisa.gov/resources-tools/resources/product-security-bad-practices

    In particular, the VDP is often in /.well-known/security.txt, and CISA are calling out lack of VDP as a "Bad Practice":


    Failing to Publish a Vulnerability Disclosure Policy

    For products used in service of critical infrastructure or NCFs, not having a published vulnerability disclosure policy (VDP) that includes the product in its scope is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.

    Recommended actions:

    • Software manufacturers should publish a VDP that:

    • Authorizes testing by members of the public on products offered by the manufacturer;

    • Commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP,

    • Provides a clear channel to report vulnerabilities; and

    • Allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure (CVD) best practices and international standards.

    • Software manufacturers should remediate all valid reported vulnerabilities in a timely and risk-prioritized manner.

    Resources: CISA Secure by Design Pledge (Vulnerability Disclosure Policy), SSDF RV.1.3, ISO 29147.


  • Mirco Knecht commented
    August 20, 2024 04:37

    Can we merge these votes into the following request, and get this looked into: https://wishlist.webflow.com/ideas/WEBFLOW-I-6154