The /.well-known/change-password is a new URL provided by Safari to allow to redirect the user on the location they can change their password.
As an application developer or as an operations engineer, you can consider two convenient places where to implement this redirect.
Application code
As an application developer, you can consider if it’s the responsibility of your own application to provide such a redirect.
That’s probably the case if the URL isn’t trivial: for example Phabricator and Jenkins include the username in the settings page.
Web server configuration
The other obvious place to implement the redirect is the web server configuration.
A 301 redirect indicates to the browser the resource has been moved permanently, and as such, seems the more convenient choice. The target page should be the account settings / credentials page. Ideally, HTTPS should be enforced, as we update credentials.
Who already implement this?
Currently, the redirect seems implemented in proprietary sites like GitHub or open source applications like Mastodon.
An example implementation: nginx + Bugzilla
In the front-end nginx server block, in addition to a proxy_pass to the back-end, you can include the following code:
1 2 3 |
location /.well-known/change-password { return 301 https://$host/userprefs.cgi?tab=account; } |