{"slug": "well-known-change-password", "title": "/.well-known/change-password", "summary": "The W3C Web Application Security Working Group has standardized the /.well-known/change-password URL as a redirect endpoint that points password managers and users to a site's actual change-password page. The endpoint, which must serve a 302 or 303 redirect over HTTPS, enables password managers like 1Password and Bitwarden to take users directly to the password change form from breach alerts. Sites without user accounts should not implement the URL, as a 404 response correctly signals the feature is unsupported.", "body_md": "# /.well-known/change-password\n\nA standard redirect endpoint that points password managers and users at your real change-password page. Only applicable if the site has user accounts — sites without logins have nothing to point at and should not implement it.\n\n## What it is\n\n`/.well-known/change-password`\n\nis a fixed URL that resolves, by redirect, to the page where a user can change their password. The W3C Web Application Security Working Group defined it so that password managers, browsers and security tooling can jump a user from a breach alert or rotation prompt to the right form in one click.\n\nIt is not a form itself. It is a discoverable pointer.\n\n**Applies only if your site has user accounts.** A marketing site, documentation site, or any other site without a login flow has no change-password page to point at and should not implement this URL — see the note at the end of the implementation section.\n\n## Why it matters\n\n**Password managers**(1Password, Bitwarden, iCloud Keychain, Chrome, Edge, Firefox) probe this URL when they detect a weak or breached credential. If it works, the “change password” button takes the user straight there.**Users** who type`example.com/.well-known/change-password`\n\ninto the address bar get to the right place without hunting through account menus.**Security teams** can use it as part of incident response: send everyone to one URL and the redirect resolves the rest.\n\nIt costs almost nothing to implement and removes a step from one of the highest-friction user journeys on the web.\n\n## How to implement\n\nServe an HTTP **302** (or **303**) redirect from `/.well-known/change-password`\n\nto your actual change-password page.\n\n```\nGET /.well-known/change-password HTTP/1.1\nHost: example.com\n\nHTTP/1.1 302 Found\nLocation: https://example.com/account/security/password\n```\n\nRules:\n\n- Serve it over\n**HTTPS** on the canonical host (the same host users log in to). - The destination must be the page where a logged-in user can\n**change their existing password**— not the password reset flow for forgotten passwords, and not the sign-up page. - The destination should work for an unauthenticated user too: redirect them to sign in first, then back to the change-password page.\n- Do not return\n**404**. A 404 tells password managers the feature is not supported.\n\nIf you do not have accounts at all (a static marketing site, a documentation site, a brochure-ware site), do not implement this URL. There is nothing for it to redirect to, and a broken or placeholder destination is worse than the absence of the endpoint — password managers treat a 404 here as “feature unsupported” and move on, which is the correct outcome for a site without logins.\n\n## Common mistakes\n\n- Pointing at the password\n**reset** flow instead of the**change** flow. Reset is for forgotten passwords; change is for known-good users rotating credentials. - Returning a 200 with an HTML page instead of a redirect. Some clients follow it; the spec says redirect.\n- Hiding it behind a\n`noindex`\n\nrequirement or a WAF rule that blocks non-browser user agents. - Forgetting the leading dot in\n`/.well-known/`\n\n.\n\n## Verification\n\n```\ncurl -I https://example.com/.well-known/change-password\n```\n\nYou should see a `302`\n\nor `303`\n\nresponse with a `Location:`\n\nheader pointing at your real change-password page. Test in a password manager: trigger a weak-password warning and confirm the “Change password” button works.\n\n## Related topics\n\n## Sources & further reading\n\n-\n[A Well-Known URL for Changing Passwords](https://w3c.github.io/webappsec-change-password-url/)— W3C Web Application Security Working Group -\n[IANA — Well-Known URIs Registry](https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml)— IANA -\n[MDN — Well-known URIs](https://developer.mozilla.org/en-US/docs/Web/Security)— MDN", "url": "https://wpnews.pro/news/well-known-change-password", "canonical_source": "https://specification.website/spec/well-known/change-password/", "published_at": "2026-06-08 12:00:00+00:00", "updated_at": "2026-06-17 13:28:58.505745+00:00", "lang": "en", "topics": ["ai-safety"], "entities": ["W3C", "1Password", "Bitwarden", "iCloud Keychain", "Chrome", "Edge", "Firefox", "IANA"], "alternates": {"html": "https://wpnews.pro/news/well-known-change-password", "markdown": "https://wpnews.pro/news/well-known-change-password.md", "text": "https://wpnews.pro/news/well-known-change-password.txt", "jsonld": "https://wpnews.pro/news/well-known-change-password.jsonld"}}