Add support for custom .well-known files

It's currently impossible to add custom files to a ".well-known" directory in the root of a website. We need to be able to create arbitrary files in this directory to support various site verification and configuration needs.


For example the .well-known/com.apple.remotemanagement, required by Apple to enable user device enrolments: https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow


But many other examples exists, including security.txt: https://securitytxt.org/

  • Webflow User
  • May 8 2024
  • Shipped
  • Dec 17, 2024

    Admin response

    We recently expanded which well-known files are supported in Webflow and how they're managed. See update →

  • Dominik Sigl commented
    18 Dec 15:57

    Thanks for implementing this - however hiding it behind the business subscription I personally find hilarious. This is nothing fancy but a basic feature every responsible website hosting service should support.

  • Vaughan Shanks commented
    22 Oct 09:27

    Recent development: https://www.cisa.gov/resources-tools/resources/product-security-bad-practices

    In particular, the VDP is often in /.well-known/security.txt, and CISA are calling out lack of VDP as a "Bad Practice":


    Failing to Publish a Vulnerability Disclosure Policy

    For products used in service of critical infrastructure or NCFs, not having a published vulnerability disclosure policy (VDP) that includes the product in its scope is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.

    Recommended actions:

    • Software manufacturers should publish a VDP that:

    • Authorizes testing by members of the public on products offered by the manufacturer;

    • Commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP,

    • Provides a clear channel to report vulnerabilities; and

    • Allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure (CVD) best practices and international standards.

    • Software manufacturers should remediate all valid reported vulnerabilities in a timely and risk-prioritized manner.

    Resources: CISA Secure by Design Pledge (Vulnerability Disclosure Policy), SSDF RV.1.3, ISO 29147.


  • Mirco Knecht commented
    20 Aug 04:37

    Can we merge these votes into the following request, and get this looked into: https://wishlist.webflow.com/ideas/WEBFLOW-I-6154