WebBotAuth.net

Directory endpoint reachable

The directory endpoint must answer with an HTTP 2xx response; an unreachable or non-2xx endpoint means there is no directory.

What this check verifies

This check fetches the well-known directory path and confirms the endpoint answers with an HTTP 2xx status. It covers two failure shapes:

  • The endpoint cannot be reached at all: a connection failure, timeout, DNS error, or a malformed redirect. Nothing was served.
  • The endpoint answers, but with a non-2xx status such as 404, 403, 500, or a redirect that does not resolve to a 200.

Either case means there is no usable directory at that path. When nothing is served, this is the only directory check that runs; the media type, JSON, and per-key checks would be meaningless with no response to inspect.

Why it matters

A directory only exists if the endpoint answers 200. A verifier that fetches your well-known path and gets a 404 has nothing to check a signature against, so your signed requests cannot be verified. A 404 is the standard signal for “no directory published here,” which is different from a directory that exists but is broken.

For this reason the result feeds the report verdict rather than the letter grade. An unreachable or non-2xx endpoint is reported as NOT FOUND, and the grade is hidden, because a 404 with an HTML error body is not a low-grade directory; it is the absence of one. A grade is only meaningful once a directory is actually served.

How to fix it

  1. Confirm the directory is served at exactly https://<your-host>/.well-known/http-message-signatures-directory and returns HTTP 200.
  2. Check for a path typo, a route that only matches a trailing slash, or a host that resolves to the wrong origin.
  3. If you return 403 or 401, remove the auth requirement: the directory is public data and must be fetchable without credentials.
  4. If you redirect, make sure the chain ends at a 200 and stays on HTTPS (see the HTTPS check).

Common causes are a missing route for the well-known path, a reverse proxy that does not forward it, or an origin returning a 5xx error. Fetch the URL yourself and confirm the status line reads 200.

References

  • The web-bot-auth directory draft (draft-meunier-http-message-signatures-directory) specifies the well-known directory endpoint.
  • RFC 7517 defines the key-set document the endpoint returns.
  • How grading works explains why an unreachable endpoint is treated as NOT FOUND rather than graded.

How the checker scores this

Tier
JWKS directory
Role
Advisory. Failing this never caps the grade or changes the verdict.
Point deduction
A failure deducts 25 points; a warning deducts 6.

How grading works